Large UDP Traffic -- Immediate Attention Please :)
Results 1 to 10 of 10

Thread: Large UDP Traffic -- Immediate Attention Please :)

  1. #1
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914

    Large UDP Traffic -- Immediate Attention Please :)

    Hey Hey,

    I've got an interesting one for you all. I fire up ethereal and I'm see 50%+ UDP traffic. This in and of itself seems a little fishy to me, however they are all from the same source address and all destined to the broadcast address. They seem to rotate between ports 1010 and 1014. I've googled for UDP port 1010 and I'm not finding anything. I thought it was isolated to the one VLAN, however I switched over to another VLAN and I'm getting the same thing from another IP address. Has any experienced, seen or heard of anything like this in the past?


    Thanks in advance,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Try a search on port 1010 itself rather than specifying UDP. Google Search

    The target is port 1010. What's the source port and ips? (are they the same or random)?

    Anything special in the packet?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,


    src and dst ports always match, either 1010/1010 or 1014/1014. The DST IP is always the broastcast address and the SRC IP is steady. I have ran nmap on the host, on the first scan it returned 443 open, however on a second scan I got no open ports, everything filtered. It seems to not be common across all VLANs as the third one I plugged into seems to be free, I'm about to switch to another and see what I get.

    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Maybe it's a scan for the Doly Trojan?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    That was my first thought when I saw the results and searched google. However the quantity of traffic seems too high for that. I'm getting 6 broadcasts/second at time, which isn't high enough to be an effective flood, but it's high enough that it's caught my attention. You'd think that someone scanning for the trojan would limit their activities slightly.
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  6. #6
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    You'd think that someone scanning for the trojan would limit their activities slightly.
    This assumes intelligence on the part of the "kiddie". Is there anything in the packet?(data of any type?) Do you have any packets we can look at (santized of all incriminating IPs)
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  7. #7
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Here's a screenshot for ya,

    [Edit]
    The other thing that leads me to believe it's not scanning for the trojan is the fact that it's in so many places, and the results are so much alike. I'm getting the same results from various people in various buildings... on different Vlans

    [Edit]
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  8. #8
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Interesting... any hits to UDP port 5632?

    Oh.. and is that sanitized addresses?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  9. #9
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Not that we've noticed at this point. We've killed those switch ports and the students will have to contact us and bring their computers down before they get access again, I was just wondering if anyone knew anything or knows anything about it.

    [Edit]
    They're private addresses for specific vlans in the college, so you can have them. If they were public addresses I'd wipe them out.
    [/Edit]

    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  10. #10
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey Everyone,

    Just to let ya know, it turns out the problem was with Silicon Chalk Admin Service... SC is a teaching/classroom aid. We haven't fully diagnosed the problem, or determined why it happens, but we are currently working on a solution. If anyone has any information about it, it would be greatly appreciated. Thanks again for the help.


    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •