[Dshield] udp port 39806?

Martin Forest martin at forest.gen.nz
Wed Nov 16 07:07:43 GMT 2005


To me it sounds like you may have a Skype user in the network.
Do some packet sniffing inside the firewall on that port and you may be  
able to trace the traffic back to the user.
/Martin Forest

On Wed, 16 Nov 2005 14:18:40 +1300, Pete Cap <peteoutside at yahoo.com> wrote:

> Phil <postmaster at moyen.org> wrote: In the past few days, I've started  
> receiving a continuing barrage of
> inbound UDP connection requests on port 39806:
> <snip>
> Any idea what's driving this?
>
>    ...philPhil,
> Well, first off, the incoming IPs consistently use the same source  
> ports.  Since sips are typically random within a given range I'm  
> guessing there is some mechanistic process at work.
> Furthermore if you notice the progression of intervals from one hit to  
> the next, they go up in pretty even proportions...which suggests that  
> the mechanistic phenomenon is being found on one box (e.g. the source  
> IPs are all being spoofed).  See the CSV I have pasted at the bottom of  
> this message.
> Based on this I would suspect that the packets might contain an  
> alternate data stream of some kind.  I have seen quite a few botnets  
> that distribute orders in that manner...Can you post a few pcaps?  Maybe  
> there is something in there that could tell us what those packets are  
> for.
> Regards,
> Pete
> Timestamp,Time(s),Interval,Proportion
>  15:30:36.50,55836.5,n/a,n/a
>  15:37:36.46,56256.46,419.97,n/a
>  15:45:01.91,56701.91,865.42,2.06
>  15:46:37.86,56797.86,961.37,2.29
>  15:50:48.18,57048.18,1211.68,2.89
>  15:52:43.83,57163.83,1327.34,3.16
>  15:59:21.94,57561.94,1725.45,4.11
>  16:03:01.88,57781.88,1945.38,4.63
>  16:07:25.21,58045.21,2208.71,5.26
>  16:10:38.46,58238.46,2401.97,5.72
>  16:12:45.27,58365.27,2528.78,6.02
>  16:20:52.22,58852.22,3015.73,7.18
>  16:22:40.21,58960.21,3123.71,7.44
>  16:30:39.61,59439.61,3603.11,8.58
>  16:39:01.88,59941.88,4105.38,9.78
>  16:40:31.85,60031.85,4195.35,9.99
>  16:43:31.03,60211.03,4374.54,10.42
>  16:50:52.75,60652.75,4816.26,11.47
>
>
> 		
> ---------------------------------
>  Yahoo! FareChase - Search multiple travel sites in one click.
> _________________________________________
> Using .Net? Need to know more about .Net Security?
> http://isc.sans.org/banner_count.php?dest=dotnet
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:  
> http://www.dshield.org/mailman/listinfo/list



-- 
If you take copy protection too far, the only customers you will have are  
the ones that intend to sell illegal copies of your work. By: Martin Forest
Warning: DRM/BMG protected CD’s are likely to infect you with a Rootkit.



More information about the list mailing list