[Dshield] udp port 39806?

Pete Cap peteoutside at yahoo.com
Wed Nov 16 01:18:40 GMT 2005


Phil <postmaster at moyen.org> wrote: In the past few days, I've started receiving a continuing barrage of 
inbound UDP connection requests on port 39806:
<snip>
Any idea what's driving this?

   ...philPhil,
 
 Well, first off, the incoming IPs consistently use the same source ports.  Since sips are typically random within a given range I'm guessing there is some mechanistic process at work.
 
 Furthermore if you notice the progression of intervals from one hit to the next, they go up in pretty even proportions...which suggests that the mechanistic phenomenon is being found on one box (e.g. the source IPs are all being spoofed).  See the CSV I have pasted at the bottom of this message.
 
 Based on this I would suspect that the packets might contain an alternate data stream of some kind.  I have seen quite a few botnets that distribute orders in that manner...Can you post a few pcaps?  Maybe there is something in there that could tell us what those packets are for.
 
 Regards,
 
 Pete
 
 
 Timestamp,Time(s),Interval,Proportion
 15:30:36.50,55836.5,n/a,n/a
 15:37:36.46,56256.46,419.97,n/a
 15:45:01.91,56701.91,865.42,2.06
 15:46:37.86,56797.86,961.37,2.29
 15:50:48.18,57048.18,1211.68,2.89
 15:52:43.83,57163.83,1327.34,3.16
 15:59:21.94,57561.94,1725.45,4.11
 16:03:01.88,57781.88,1945.38,4.63
 16:07:25.21,58045.21,2208.71,5.26
 16:10:38.46,58238.46,2401.97,5.72
 16:12:45.27,58365.27,2528.78,6.02
 16:20:52.22,58852.22,3015.73,7.18
 16:22:40.21,58960.21,3123.71,7.44
 16:30:39.61,59439.61,3603.11,8.58
 16:39:01.88,59941.88,4105.38,9.78
 16:40:31.85,60031.85,4195.35,9.99
 16:43:31.03,60211.03,4374.54,10.42
 16:50:52.75,60652.75,4816.26,11.47
 


		
---------------------------------
 Yahoo! FareChase - Search multiple travel sites in one click.  


More information about the list mailing list