Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Security Incidents: Re: UDP Probes (?) from port 28432 to 28431 ?

Re: UDP Probes (?) from port 28432 to 28431 ?

From: Xander Jansen <Xander.Jansen_at_SURFNET.NL>
Date: Thu, 9 Mar 2000 14:07:29 +0100

Hi Klaus,

In your message of Tue, 7 Mar 2000 17:17:36 +0100 you wrote:

+ > Has anyone seen UDP subnet-sweeps to port 28431 ? We've received a few
+ > reports the last months about rather persistent and recurring subnet-scans
+ > targetted at this specific port. All the probes are short UDP packets with
+ > source port 28432 and destination port 28431. Typical pattern is also that
+ > within a few seconds a complete subnet (/24 for example) is probed on this
+ > port (and this port only). (I'm sorry to say that we don't have any info
+ > on the contents of these packets yet).
+ >
+ > I was wondering if anyone knows about either a valid or malicious
+ > application using these ports (I couldn't find any reference in the usual
+ > portlists) ?
+
+ The pattern reminds me of the HACK'A'TACK scans (UDP 33790 -> 33789)
+ Perhaps somebody has changed the configs ?

The Hack'a'Tack similarity is striking indeed. Yesterday I combined various
logs dating back to june 1999 and from different sources (many thanks to
Rene Pfeiffer !) and concentrated on the Hack'a'tack ports (31790/31789)
and the two 'new' ones. Basically these are the (somewhat biased) results:

The over 19000 logentries contained probes from 1887 different sources.
Targets in this case were addresses in the 194.171/16 and 195.230/16
ranges. Of the sources the majority originated in the 194.170/16 and
195.229/16 ranges (1815 of them, the other 72 were the usual
dialup-suspects). Note the subtle 'off-by-one' difference.

Hack'a'tack (the client part) has (at least) two features that might be
relevant here:

1) Very fast subnet-scanning
2) The 'Scan above' button

Feature 1) explains the fast subnet-sweeps, feature 2) explains I think the
'off-by-one' difference in source and target netblocks. Hack'a'tack asks
for a starting address to start the scan with. Now if someone from within
194.170/16 wants to scan for Hack'a'tack-servers he/she fills in for
example 194.170.246.n, presses 'Scan above' and before you know (feature 1)
the scan continues with addresses in the 194.171/16 range.

So I guess this is indeed a new or reconfigured version of Hack'a'tack (I
didn't check the latest version yet) or something using the same
scan-engine and the probe-victims in this case are just innocent bystanders
who happen to have IP-addresses in a neighbour-range of the source.

Anyway, many thanks to all who replied !

Cheers,

Xander
Received on Mar 11 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]