SoBig.F "update servers"

Phil Benchoff benchoff at vt.edu
Fri Aug 22 23:21:20 GMT 2003


We did observe a relatively small number of hosts on campus attempting
traffic to udp/8998 on the list of SoBig.F "update servers"  posted here
earlier.  While looking at other traffic to the update servers, we found
something interesting:

0822.17:59:19.989 0822.17:59:19.989 10    68.38.159.161   45970 1     <some host>     27015 17  0  1          37
0822.17:59:23.729 0822.17:59:23.729 10    24.206.75.137   13732 1     <some host>     27015 17  0  1          37
0822.17:59:25.573 0822.17:59:25.573 10    68.50.208.96    9170  1     <some host>     27015 17  0  1          37
0822.17:59:27.405 0822.17:59:27.405 10    65.93.81.59     11007 1     <some host>     27015 17  0  1          37
0822.17:59:31.065 0822.17:59:31.065 10    218.147.164.29  40427 1     <some host>     27015 17  0  1          37
0822.17:59:36.645 0822.17:59:36.645 10    12.158.102.205  32249 1     <some host>     27015 17  0  1          37
0822.17:59:38.469 0822.17:59:38.469 10    68.38.159.161   37991 1     <some host>     27015 17  0  1          37
0822.18:00:04.269 0822.18:00:04.269 1     <some host>     27015 0     65.93.81.59     37089 17  0  1          1039
0822.18:00:17.229 0822.18:00:17.229 1     <some host>     27015 0     65.92.186.145   26998 17  0  1          1039
0822.18:00:19.049 0822.18:00:19.049 1     <some host>     27015 0     24.206.75.137   10203 17  0  1          1039
0822.18:00:23.049 0822.18:00:23.049 1     <some host>     27015 0     65.93.81.59     44976 17  0  1          1039
0822.18:00:24.889 0822.18:00:24.889 1     <some host>     27015 0     24.210.182.156  26891 17  0  1          1039
0822.18:00:45.246 0822.18:00:45.246 1     <some host>     27015 0     218.147.164.29  17684 17  0  1          1039
0822.18:00:17.210 0822.18:00:17.210 10    65.92.186.145   26998 1     <some host>     27015 17  0  1          37
0822.18:00:19.034 0822.18:00:19.034 10    24.206.75.137   10203 1     <some host>     27015 17  0  1          37
0822.18:00:47.066 0822.18:00:47.066 1     <some host>  27015 0     66.131.207.81      59796 17  0  1          1039
0822.18:00:23.034 0822.18:00:23.034 10    65.93.81.59     44976 1     <some host>     27015 17  0  1          37
0822.18:00:24.870 0822.18:00:24.870 10    24.210.182.156  26891 1     <some host>     27015 17  0  1          37
0822.18:00:59.986 0822.18:00:59.986 1     <some host>  27015 0     65.93.81.59        597   17  0  1          1039
0822.18:00:45.238 0822.18:00:45.238 10    218.147.164.29  17684 1     <some host>     27015 17  0  1          37
0822.18:01:14.786 0822.18:01:14.786 1     <some host>  27015 0     24.206.75.137      45537 17  0  1          1039
0822.18:00:47.066 0822.18:00:47.066 10    66.131.207.81   59796 1     <some host>     27015 17  0  1          37

udp/27015 appears to be the default port for some online games,
e.g. Halflife.  The traffic would tend to indicate that the
server is on our network and the remote hosts are clients.
It doesn't seem all that likely that this is random.  We have
the local host isolated from the network, but I don't know
when or how much access we'll get to it.

I'd guess that either the host on our network is some
kind of control server, or that some vulnerability in
the games is what lead to the compromise of the remote
hosts.

Anyone else see anything like this?

Phil



More information about the unisog mailing list