RE: UDP Port 2140 Probes

[Tim Mcmanus]

Someone is scanning your network for the "Deep Throat" trojan. Likely some script 
kiddies combing networks, praying that they find some unsuspecting host to "hack", if 
you really want to call it that. Expect it to continue for several weeks until they 
download a new trojan and scan you for that one too.  >;)

Tim

-----Original Message-----
From: H D Moore [mailto:[EMAIL PROTECTED]]
Sent: Saturday, October 16, 1999 10:51 PM
To: [EMAIL PROTECTED]
Subject: UDP Port 2140 Probes


Has anyone else seen anything like this?  They has been happening for
well over two weeks and I was wondering if it was a targeted attack or a
general scan.  All packets have originated from the same city's dialup
pool with the same src/dst ports and the same 5 minute span that the
scan takes (20:24 -> 20:29, 17:27 -> 17-32), with the last trace showing
two distinct 5-minute scans from 11:45 -> 11:50 and 11:56 -> 13:01.

What service could this person be looking for?
What tool uses source port 60000 and 5-minute timings?
If this is a plain UDP service scan, why is there 2 bytes of data in the
packet? (vs NULL)



10-14-99

20:24:36.271610 1Cust191.tnt3.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
20:25:19.174056 1Cust191.tnt3.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
20:26:43.613437 1Cust191.tnt3.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
20:29:48.675551 1Cust191.tnt3.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2


10-15-99


17:27:50.478372 1Cust50.tnt1.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
17:28:28.002028 1Cust50.tnt1.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
17:29:43.177907 1Cust50.tnt1.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
17:32:34.344329 1Cust50.tnt1.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2


10-16-99

11:45:33.947604 1Cust115.tnt2.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
11:46:17.672068 1Cust115.tnt2.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
11:47:34.026818 1Cust115.tnt2.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
11:50:29.919071 1Cust115.tnt2.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2

[ second scan starts 66 minutes later ]

12:56:42.495112 1Cust24.tnt1.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
12:57:21.729927 1Cust24.tnt1.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
12:58:43.957727 1Cust24.tnt1.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
13:01:44.791308 1Cust24.tnt1.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2


-HD Moore-

http://nlog.ings.com            (Like Nmap?  Try Nlog!)
http://www.secureaustin.com     (Its Coming...)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]