[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Really ODD 12 byte UDP attempts

To: Full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Really ODD 12 byte UDP attempts
From: James Lay <jlay@xxxxxxxxxxxxxxxxxxx>
Date: Sun, 28 Aug 2005 21:29:18 -0600

Hey All!

Since there doesn't seem to be much going on I thought I'd ask about
this.  I've searched and either I suck (must likely) or it's something
else.  Here's a snippet of what I see:

Aug 28 06:57:01 kernel: New,invalid SRC=64.94.45.26 DST=24.116.255.102
LEN=32 PROTO=UDP SPT=11050 DPT=33440 LEN=12

This modified netfilter log line is just one of many I see.  The only
thing that all the attempts have in common is that the LEN=12 and that
the DPT=344**.  They usually come in bursts of 6 or 8.

The reason I'm posting this now is because there have been a BOATLOAD
of these in August...but not much in other months..as follows:

April:  317
May:    176
June:   352
July:   292
August: 1207

To save time and space I have 2 files on a site:

To view all source IP's:
http://www.slave-tothe-box.net/udpsource.txt

To view raw(edited) log:
http://www.slave-tothe-box.net/udpedit.txt

I looked up the ports on isc.sans.org but found nothing.  Anything out
there going on that I should know about?  Thanks all!

James
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Really ODD 12 byte UDP attempts
  - From: Blue Boar

Prev by Date: [Full-disclosure] [HV-FUN] Interactve MS Vulnerabilities maps
Next by Date: [Full-disclosure] Xcon2005 papers released
Previous by thread: [Full-disclosure] [HV-FUN] Interactve MS Vulnerabilities maps
Next by thread: Re: [Full-disclosure] Really ODD 12 byte UDP attempts
Index(es):
- Date
- Thread