Date: Mon, 11 Oct 1999 09:52:31 +0000 From: bK <bertke@bellsouth.net> To: "N. N.M" <madrapour@hotmail.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Port 31789 scanning and ... Message-ID: <3801B35F.4451ED2F@bellsouth.net> References: <19991010073125.93991.qmail@hotmail.com> <199910102037.OAA11369@mt.sri.com>
next in thread | previous in thread | raw e-mail | index | archive | help
By default a traceroute uses 33435 as the first packet.
"udp",
IPPROTO_UDP,
sizeof(struct udphdr),
32768 + 666,
udp_prep,
udp_check
It is initialized at 33434 but is incremented by one before being sent to make
33435.
Of course someone could use the -p option with traceroute to alter the
destination port.
OTOH straight from: http://www.robertgraham.com/pubs/firewall-seen.html
31789 Hack-a-tack UDP traffic on this port is currently being seen due
to the "Hack-a-tack" RAT (Remote Access Trojan).
Looks some kiddies might be loose. As always keep your virus software updated;
it might not hurt to look at the data in the UDP packets and research this trojan
more.
Bert
Nate Williams wrote:
> > 1) I have IPFW and by studying its daily logs I found out that somebody
> > scans the port 31789 of all the servers and even clients in my network. What
> > can be potentially found on this port?
>
> If it's a UDP packet, it's probably someone running traceroute.
>
> > 2) There was another log entry in the log files which makes no sense for me.
> > That is as the follow:
> >
> > Oct 9 23:21:43 firewall /kernel: ipfw: 147 Deny TCP Y.Y.Y.Y X.X.X.X in via
> > ed1 Fragment = 147
>
> This happens with buggy stacks, and is common. I see it often from my
> Win95 boxes....
>
> Nate
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3801B35F.4451ED2F>