[unisog] odd udp traffic

Russell Fulton r.fulton at auckland.ac.nz
Fri Jun 4 07:34:01 GMT 2004


Hi All,
	There is one machine on our network that keeps triggering some of my
monitoring alarms.  The machine runs windows 2000.

Here is an example of the observed traffic:

    Start_Time       Type     SrcAddr      Sport  Dir       DstAddr    Dport  SrcPkt   Dstpkt    SrcBytes     DstBytes   State
04 Jun 04 10:59:08    udp   130.216.xxx.yyy.15859 <->     65.223.84.154.2092  1        1         128          63          ACC
04 Jun 04 10:59:38    udp   130.216.xxx.yyy.15859 <->     66.235.181.59.10384 1        1         88           59          ACC
04 Jun 04 11:00:07    udp   130.216.xxx.yyy.15859 <->   158.143.116.118.3511  1        1         128          77          ACC
04 Jun 04 11:00:38    udp   130.216.xxx.yyy.15859 <->    128.104.180.87.48867 2        2         256          153         CON
04 Jun 04 11:01:08    udp   130.216.xxx.yyy.15859 <->     212.202.2.130.16928 2        2         276          154         CON
04 Jun 04 11:01:25    udp   130.216.xxx.yyy.15859 <->     24.98.117.171.34731 1        1         149          76          ACC
04 Jun 04 11:01:38    udp   130.216.xxx.yyy.15859 <->      64.246.49.61.10200 1        1         135          63          ACC
04 Jun 04 11:02:08    udp   130.216.xxx.yyy.15859 <->     65.223.84.154.2092  1        1         128          63          ACC
04 Jun 04 11:03:08    udp   130.216.xxx.yyy.15859 <->   158.143.116.118.3511  1        1         128          77          ACC
04 Jun 04 11:04:38    udp   130.216.xxx.yyy.15859 <->     24.98.117.171.34731 1        1         129          76          ACC
04 Jun 04 11:05:08    udp   130.216.xxx.yyy.15859 <->     212.202.2.130.16928 1        1         128          77          ACC
04 Jun 04 11:05:38    udp   130.216.xxx.yyy.15859 <->    128.104.180.87.48867 1        1         128          77          ACC
04 Jun 04 11:06:08    udp   130.216.xxx.yyy.15859 <->     69.240.40.251.48179 1        1         99           59          ACC
04 Jun 04 11:06:08    udp   130.216.xxx.yyy.15859 <->      64.246.49.61.10200 1        1         135          63          ACC
04 Jun 04 11:06:38    udp   130.216.xxx.yyy.15859 <->   158.143.116.118.3511  1        1         128          77          ACC
04 Jun 04 11:06:56    udp   130.216.xxx.yyy.15859 <->     143.89.46.207.45107 1        1         69           449         ACC
04 Jun 04 11:06:56    udp   130.216.xxx.yyy.15859 <->      65.34.133.49.38216 1        1         69           456         ACC
04 Jun 04 11:06:57    udp   130.216.xxx.yyy.15859 <->    24.131.138.151.35872 5        5         300          340         CON
04 Jun 04 11:06:57    udp   130.216.xxx.yyy.15859 <->   131.231.222.179.59818 5        5         300          340         CON
04 Jun 04 11:06:57    udp   130.216.xxx.yyy.15859 <->      82.35.20.102.10660 1        1         60           68          ACC
04 Jun 04 11:06:57    udp   130.216.xxx.yyy.15859 <->    144.131.35.175.40162 1        1         60           68          ACC
04 Jun 04 11:06:57    udp   130.216.xxx.yyy.15859 <->   129.241.175.237.39449 2        2         523          511         CON
04 Jun 04 11:06:59    udp   130.216.xxx.yyy.15859 <->    202.156.64.213.44788 1        1         84           458         ACC
04 Jun 04 11:06:59    udp   130.216.xxx.yyy.15859 <->       195.7.78.99.40750 1        1         84           458         ACC
04 Jun 04 11:07:08    udp   130.216.xxx.yyy.15859 <->     65.223.84.154.2092  1        1         128          63          ACC

over a period of an hour the machine swapped packets with around 40
different IPs.  The *src* port number is always the same and the dest
varies but always seems to be above 1024.  Traffic is a constant trickle
with no big flows being observed.

I have not had a look at the system myself, but the system admin
responsible for the system has been though it carefully (it's his
personal desktop ;) and can't find anything amiss.

I did capture some packets at one stage but the contents were not in
ascii so I gave up on that angle.  If anyone would like a sample I'll
get some next week as the machine is now turned off and will in all
likelihood stay off over the weekend.

Anyone have any ideas about what this is?

It looks like some sort of P2P system, or possibly spyware, but neither
show up on the system using the usual tools.  NAV says the system is
clean...

Cheers, Russell
-- 
Russell Fulton, Computer and Network Security Officer.
The University of Auckland, New Zealand.




More information about the unisog mailing list