'Re: Odd TCP and UDP port 1167 attempts'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       intrusions
Subject:    Re: Odd TCP and UDP port 1167 attempts
From:       John Sage <jsage () finchhaven ! com>
Date:       2002-12-25 16:04:54
[Download RAW message or body]

Joseph:

Are you on a dynamic IP?

[toot@sparky /tmp]# host 216.93.89.8
8.89.93.216.in-addr.arpa. domain name pointer d163.as0.sfld.mi.voyager.net.

Very quickly, this looks like the remnant of a previous P2P
conversation to the IP address you now have, from someone who may have
just come back online.

I'm on a dialup at home and I see a lot of that sort of thing...


On Wed, Dec 25, 2002 at 06:38:45AM -0500, Joseph wrote:
> I'm seeing some traffic that I don't recognize. The pattern is the same 
> each time, and always port 1167.
> 
> Pattern:
> 
> UDP frag, two TCP packets, two UDP frags. Like so:
> 
> 06:28:37.127492 67.83.108.172.11980 > 216.93.89.8.1167: udp 1313 (frag 
> 10415:552@0+) (ttl 111, len 572)
> 0x0000   4500 023c 28af 2000 6f11 1f9d 4353 6cac        E..<(...o...CSl.
> 0x0010   d85d 5908 2ecc 048f 0529 2032 c028 aabc        .]Y......).2.(..
> 0x0020   b09a 0014 7480 fdc7 4644 1b52 7d41 030e        ....t...FD.R}A..
> 0x0030   86c8 9706 d8f1 385e 65d1 eaae 20c8 0b4e        ......8^e......N
> 0x0040   f5b1 1c0e a49d 7bf7 74cd 7d4a c0ce da53        ......{.t.}J...S
> 
> 06:28:37.317494 67.83.108.172.13694 > 216.93.89.8.1167: S [tcp sum ok] 
> 836834397:836834397(0) win 16384 <mss 1364,nop,nop,sackOK> (DF) (ttl 
> 111, id 10416, len 48)
> 0x0000   4500 0030 28b0 4000 6f06 01b3 4353 6cac        E..0(.@.o...CSl.
> 0x0010   d85d 5908 357e 048f 31e1 145d 0000 0000        .]Y.5~..1..]....
> 0x0020   7002 4000 e1ce 0000 0204 0554 0101 0402        p.@........T....
> 
> 06:28:38.537503 67.83.108.172.13420 > 216.93.89.8.1167: S [tcp sum ok] 
> 2638748606:2638748606(0) win 16384 <mss 1364,nop,nop,sackOK> (DF) (ttl 
> 111, id 10418, len 48)
> 0x0000   4500 0030 28b2 4000 6f06 01b1 4353 6cac        E..0(.@.o...CSl.
> 0x0010   d85d 5908 346c 048f 9d48 1bbe 0000 0000        .]Y.4l...H......
> 0x0020   7002 4000 7018 0000 0204 0554 0101 0402        p.@.p......T....
> 
> 06:28:39.277503 67.83.108.172.14054 > 216.93.89.8.1167: S [tcp sum ok] 
> 2440359830:2440359830(0) win 16384 <mss 1364,nop,nop,sackOK> (DF) (ttl 
> 111, id 10419, len 48)
> 0x0000   4500 0030 28b3 4000 6f06 01b0 4353 6cac        E..0(.@.o...CSl.
> 0x0010   d85d 5908 36e6 048f 9174 ef96 0000 0000        .]Y.6....t......
> 0x0020   7002 4000 a599 0000 0204 0554 0101 0402        p.@........T....
> 
> 06:28:40.137540 67.83.108.172.11980 > 216.93.89.8.1167: udp 1313 (frag 
> 10420:552@0+) (ttl 111, len 572)
> 0x0000   4500 023c 28b4 2000 6f11 1f98 4353 6cac        E..<(...o...CSl.
> 0x0010   d85d 5908 2ecc 048f 0529 2032 c028 aabc        .]Y......).2.(..
> 0x0020   b09a 0014 7480 fdc7 4644 1b52 7d41 030e        ....t...FD.R}A..
> 0x0030   86c8 9706 d8f1 385e 65d1 eaae 20c8 0b4e        ......8^e......N
> 0x0040   f5b1 1c0e a49d 7bf7 74cd 7d4a c0ce da53        ......{.t.}J...S
> 
> 06:28:43.567498 67.83.108.172.11980 > 216.93.89.8.1167: udp 1313 (frag 
> 10421:552@0+) (ttl 111, len 572)
> 0x0000   4500 023c 28b5 2000 6f11 1f97 4353 6cac        E..<(...o...CSl.
> 0x0010   d85d 5908 2ecc 048f 0529 2032 c028 aabc        .]Y......).2.(..
> 0x0020   b09a 0014 7480 fdc7 4644 1b52 7d41 030e        ....t...FD.R}A..
> 0x0030   86c8 9706 d8f1 385e 65d1 eaae 20c8 0b4e        ......8^e......N
> 0x0040   f5b1 1c0e a49d 7bf7 74cd 7d4a c0ce da53        ......{.t.}J...S



- John
-- 
NEWS FLASH: Lowest common denominator continues to plummet

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic