[Dshield] udp port 39806?
postmaster at moyen.org
Wed Nov 16 22:52:09 GMT 2005
Well, I can pretty much guarantee there's no Skype running here (home
The report I posted was what was dropped by my firewall (Sonicwall SOHO
TZW), so I don't have any captures to see what was in the packets. I'd
have to pass them through and capture them; sounds like a project for
Martin Forest wrote:
> To me it sounds like you may have a Skype user in the network.
> Do some packet sniffing inside the firewall on that port and you may be
> able to trace the traffic back to the user.
> /Martin Forest
> On Wed, 16 Nov 2005 14:18:40 +1300, Pete Cap <peteoutside at yahoo.com> wrote:
>>Phil <postmaster at moyen.org> wrote: In the past few days, I've started
>>receiving a continuing barrage of
>>inbound UDP connection requests on port 39806:
>>Any idea what's driving this?
>>Well, first off, the incoming IPs consistently use the same source
>>ports. Since sips are typically random within a given range I'm
>>guessing there is some mechanistic process at work.
>>Furthermore if you notice the progression of intervals from one hit to
>>the next, they go up in pretty even proportions...which suggests that
>>the mechanistic phenomenon is being found on one box (e.g. the source
>>IPs are all being spoofed). See the CSV I have pasted at the bottom of
>>Based on this I would suspect that the packets might contain an
>>alternate data stream of some kind. I have seen quite a few botnets
>>that distribute orders in that manner...Can you post a few pcaps? Maybe
>>there is something in there that could tell us what those packets are
More information about the list