[OT strange UDP]

Gregory D Hough mr6re9-mI4xJ4qlgtBiLUuM0BA3LQ== at public.gmane.org
Mon Apr 19 12:05:15 UTC 2004 

On 04/18/2004 03:21:52 PM, Noah John Gellner wrote:
> Are you running any p2p apps? I have notices that many bittorrent and
> mule/donkey servers, for example, are configured to use non-default
> ports often to get arround ISP port blocking. I recognize a lot of  
> the
> info from your datagrams as music related, mainly electronica.
>
Actually NO, we share nothing and downloading of music/sick-twisted- 
games is strictly prohibited. The datagram that peaked my curiosity was  
the one that read "peek of pandora". After seeing that I looked at them  
all and found more questions than answers. I captured this one earlier  
this AM:

Internet Protocol, Src Addr: 81.49.122.30
User Datagram Protocol, Src Port: 2705 (2705), Dst Port: 11609 (11609)
Data (69 bytes)
0030  f6 a6 81 29 25 b8 d6 23 00 5c 8f 40 80 8d aa 28   ...)%..#.\.-47IYjYMXMt4=@public.gmane.org 
(
0040  2c 39 c6 9a 23 1e 7d ee 32 b2 1c a3 01 00 00 00   ,9.. 
#.}.2.......
0050  02 03 00 6c 6f 63 17 00 62 63 70 3a 2f 2f 31 39   ...loc.. 
bcp://19
0060  32 2e 31 36 38 2e 30 2e 32 3a 32 33 37 35 36      2.168.0.2:23756

This packet may provide an additional clue. What is bcp? First of all I  
do not use that address space anywhere in the network, someone is  
either guessing or these were intended to reach another machine.  
Secondly, lsof -i 4 and netstat -na on Lin Win respectively show no one  
is listening here.

> My sniffing package of choice is ettercap, which I find provides
> enough
> information for me to identify what is causing traffic. Perhaps it
> will
> work for you.
>
I appreciate the suggestion but I'm quite comfortable with ethereal, or  
tcpdump on a noX box. I just thought maybe someone had a heads up on a  
new exploit or recognized this belonging to a certain app. As of  
yesterday noon, dshield.org had nothing in their database beyond April  
09 for these destination ports (11609, 11613). I get the feeling  
(though I'm probably wrong) the ports are irrelavant and their target  
is the stack. Any ideas?

> Noah
> 
> On 15:10 Sun 18 Apr     , GDHough wrote:
> <datagrams snipped>
> 
> > These represent a small fraction of packets from numerous sources.
> > Has anyone seen this before?
> > Is it some new fangled p2p?
> 
> --
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list