[unisog] odd traffic on udp 53

Allison MacFarlan allison.macfarlan at yale.edu
Wed Oct 8 19:09:52 GMT 2003


If the traffic is going to hosts that are not your dns servers, it may
be Delude/Qhost traffic. We've seen at least 137 of them here.



>Hi All,
>	Over the last few days I've spotted three or four systems doing lots of
>traffic on udp port 53.  My first thought was that this was some worm or
>trojan doing DNS lookups to find MX records (like sobig-f).  This turn
>out not to be the case (well at least NAV failed to find any evidence of
>infection).  The all the packets I observed carry bytes of data (NULLs
>in the few packets I captured).  There are also lots of packets being
>sent to 119.0.0.0 on udp 30467, again 8 bytes of data.
>
>Occasionally we see small incoming udp packets to this machine.
>
>My best guess now is that is some sort of p2p protocol and the users are
>being coy with us because they know that their use is against university
>policy (unless they can convince us that the they are not breaching
>anyone's copyright(.
>
>Anyone got any ideas?
>
>Below are various relevant bits of data about the system and the
>traffic.
>
>
>Some sample packet traces were:  Times UTC +1300 GPS synchronized
>2003-10-08-13:30:21  udp  130.216.xxx.yy:37174    -> 
>170.236.51.39:53     TIM
>2003-10-08-13:29:46  udp  130.216.xxx.yy:37174    -> 
>119.0.0.0:30467  INT
>2003-10-08-13:30:31  udp  130.216.xxx.yy:37174    -> 
>26.147.127.191:53     TIM
>2003-10-08-13:30:36  udp  130.216.xxx.yy:37174    -> 
>119.0.0.0:53     TIM
>2003-10-08-13:30:41  udp  130.216.xxx.yy:37174    -> 
>174.79.56.186:53     TIM
>2003-10-08-13:30:51  udp  130.216.xxx.yy:37174    -> 
>175.226.118.80:53     TIM
>2003-10-08-13:30:56  udp  130.216.xxx.yy:37174    -> 
>119.0.0.0:53     TIM
>2003-10-08-13:31:11  udp  130.216.xxx.yy:37174    -> 
>150.208.16.33:53     TIM
>2003-10-08-13:31:16  udp  130.216.xxx.yy:37174    -> 
>119.0.0.0:53     TIM
>2003-10-08-13:31:21  udp  130.216.xxx.yy:37174    -> 
>183.178.146.205:53     TIM
>2003-10-08-13:30:46  udp  130.216.xxx.yy:37174    -> 
>119.0.0.0:30467  INT
>2003-10-08-13:31:31  udp  130.216.xxx.yy:37174    -> 
>217.203.167.223:53     TIM
>2003-10-08-13:31:51  udp  130.216.xxx.yy:37174    -> 
>198.147.87.133:53     TIM
>2003-10-08-13:31:56  udp  130.216.xxx.yy:37174    -> 
>119.0.0.0:53     TIM
>2003-10-08-13:32:01  udp  130.216.xxx.yy:37174    -> 
>156.226.67.11:53     TIM
>2003-10-08-13:32:11  udp  130.216.xxx.yy:37174    -> 
>207.211.79.26:53     TIM
>2003-10-08-13:32:16  udp  130.216.xxx.yy:37174    -> 
>119.0.0.0:53     TIM
>2003-10-08-13:31:46  udp  130.216.xxx.yy:37174    -> 
>119.0.0.0:30467  INT
>2003-10-08-13:32:31  udp  130.216.xxx.yy:37174    -> 
>210.94.235.104:53     TIM
>2003-10-08-13:32:36  udp  130.216.xxx.yy:37174    -> 
>119.0.0.0:53     TIM
>
>A few packet dumps:
>14:17:34.869960 xxxxx.eng.auckland.ac.nz.37174 > 
>143.80.176.61.domain:  256 [0q] (8)
>0x0000   4500 0024 2193 0000 7d11 76a0 82d8 xxxx        E..$!...}.v.....
>0x0010   8f50 b03d 9136 0035 0010 c7cc 0100 0000        .P.=.6.5........
>0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
>14:17:39.879960 xxxx.eng.auckland.ac.nz.37174 > 119.0.0.0.30467:  udp 8
>0x0000   4500 0024 219e 0000 7d11 3f23 82d8 xxxx        E..$!...}.?#....
>0x0010   7700 0000 9136 7703 0010 198c 0100 0000        w....6w.........
>0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
>14:17:39.879960 xxxxx.eng.auckland.ac.nz.37174 > 119.0.0.0.domain: 
>256 [0q] (8)
>0x0000   4500 0024 219f 0000 7d11 3f22 82d8 xxxx        E..$!...}.?"....
>0x0010   7700 0000 9136 0035 0010 905a 0100 0000        w....6.5...Z....
>0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
>14:17:44.879960 xxxxxx.eng.auckland.ac.nz.37174 > 
>133.240.59.116.domain:  256 [0q] (8)
>0x0000   4500 0024 21a5 0000 7d11 f4b7 82d8 xxxx        E..$!...}.......
>0x0010   85f0 3b74 9136 0035 0010 45f6 0100 0000        ..;t.6.5..E.....
>0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
>
>lastly a udp portscan of the box:
>PORT      STATE SERVICE       VERSION
>53/udp    open  domain?
>135/udp   open  msrpc
>137/udp   open  netbios-ns    Microsoft Windows netbios-ssn (host: 
>D0009064 workgroup: ARTS)
>138/udp   open  netbios-dgm?
>445/udp   open  microsoft-ds?
>500/udp   open  isakmp?
>1027/udp  open  msrpc
>1273/udp  open  unknown
>1274/udp  open  unknown
>1280/udp  open  unknown
>1281/udp  open  unknown
>2967/udp  open  symantec-av?
>37174/udp open  unknown
>
>The TCP port scan return the expected MS services and nothing else.
>--
>Russell Fulton, Network Security Officer, The University of Auckland,
>New Zealand.


-- 
++++---++++---++++---++++
Allison S. MacFarlan
allison.macfarlan at yale.edu
ITS Information Security Officer, AM&T
Yale University
ph: 203-432-6684
bp: 203-370-0554
http://www.yale.edu/its/security



More information about the unisog mailing list