unexplained Polycom traffic

Saracini, Bill SaraciniW at health.missouri.edu
Wed Jan 22 16:10:22 GMT 2003


We updated several Polycom FX View Stations used for televideo activities with a new O/S image, and began to observe our devices polling external hosts (not part of our "address book") from port 1719 to port 4224 on the external host.  These are UPD packets, 126 bytes long - usually with no response from external target.  I think 1719 (TCP) is a port in H.323 protocol, but I don't think UPD is - however, since 1719 TCP is involved with Gatekeeper functions, I can't rule UPD out as a supported protocol on that port. 

We saw this same behavior a few months ago, and suspecting a hacked image from the vendor, withdrew O/S updates, rolling back to previous install - problem goes away, and despite attempts to figure this out with the vendor, never gets resolved.  Newer o/s image installed, and problem is back.  Packet capture on the UPD packets is now being analyzed, but first results don't show much of a clue.

Anybody know what this behavior might be?  We are attempting contact with vendor, but I'm uncomfortable watching these devices attempt connections with external hosts, not knowing if this is a configuration problem or a hacked piece of code at work.

Thanks,

Bill

William J. (Bill) Saracini
System Security Analyst
University of Missouri Health Sciences Center
DC017.00
Columbia, MO  65212
573-884-2591
573-884-2650 (fax)





More information about the unisog mailing list