[Dshield] udp port 39806?
martin at forest.gen.nz
Wed Nov 16 07:07:43 GMT 2005
To me it sounds like you may have a Skype user in the network.
Do some packet sniffing inside the firewall on that port and you may be
able to trace the traffic back to the user.
On Wed, 16 Nov 2005 14:18:40 +1300, Pete Cap <peteoutside at yahoo.com> wrote:
> Phil <postmaster at moyen.org> wrote: In the past few days, I've started
> receiving a continuing barrage of
> inbound UDP connection requests on port 39806:
> Any idea what's driving this?
> Well, first off, the incoming IPs consistently use the same source
> ports. Since sips are typically random within a given range I'm
> guessing there is some mechanistic process at work.
> Furthermore if you notice the progression of intervals from one hit to
> the next, they go up in pretty even proportions...which suggests that
> the mechanistic phenomenon is being found on one box (e.g. the source
> IPs are all being spoofed). See the CSV I have pasted at the bottom of
> this message.
> Based on this I would suspect that the packets might contain an
> alternate data stream of some kind. I have seen quite a few botnets
> that distribute orders in that manner...Can you post a few pcaps? Maybe
> there is something in there that could tell us what those packets are
> Yahoo! FareChase - Search multiple travel sites in one click.
> Using .Net? Need to know more about .Net Security?
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
If you take copy protection too far, the only customers you will have are
the ones that intend to sell illegal copies of your work. By: Martin Forest
Warning: DRM/BMG protected CD’s are likely to infect you with a Rootkit.
More information about the list