wierd: udp port 0 traffic

From: Gianni Tedesco <gianni(at)ecsc.co.uk>
Date: Mon Jan 27 2003 - 06:57:10 EST

Looking through my IDS logs this morning, found a very wierd little probe a couple of weeks ago. Anyone seen anything like this before?

$ firecat ./db --format ascii --query "sid=525"

  packet: 2003-01-18 15:48:31.267261 len=126 caplen=126
   alert: [sig.udp] BAD TRAFFIC udp port 0 traffic (sid=525.4 prio=3)
   linux: if33554432:unicast - 256
      ip: 81.86.64.211 > 212.69.230.191 ttl=114 proto=17 len=46
     udp: 21614 > 0 len=26 csum=0xdc1
    data: Application layer data (18 bytes)
00000 : ............P.P. 01 00 00 00 2E 00 00 00 2E 00 00 00 50 00 50 00
00010 : Ow)>............ 4F 77 29 3E FD 13 04 00 00 00 00 00 00 00 00 00
00020 : ..............{. 11 00 08 00 02 00 00 00 01 00 00 06 00 09 7B C6
00030 : ................ A4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00040 : ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050 : E.......r.^.QV@. 45 00 00 2E 9C F5 00 00 72 11 5E 9B 51 56 40 D3

00060 : .E..Tn........JI D4 45 E6 BF 54 6E 00 00 00 1A 0D C1 08 13 4A 49 00070 : ....abcdefghij 02 00 01 00 61 62 63 64 65 66 67 68 69 6A

  packet: 2003-01-18 15:49:01.070234 len=126 caplen=126
   alert: [sig.udp] BAD TRAFFIC udp port 0 traffic (sid=525.4 prio=3)
   linux: if33554432:unicast - 256
      ip: 81.86.64.211 > 212.69.230.191 ttl=114 proto=17 len=46
     udp: 21618 > 0 len=26 csum=0xdbd
    data: Application layer data (18 bytes)
00000 : ............P.P. 01 00 00 00 2E 00 00 00 2E 00 00 00 50 00 50 00
00010 : mw)>Z........... 6D 77 29 3E 5A 12 01 00 00 00 00 00 00 00 00 00
00020 : ..............{. 11 00 08 00 02 00 00 00 01 00 00 06 00 09 7B C6
00030 : ................ A4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00040 : ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050 : E.......r.^.QV@. 45 00 00 2E 9D 01 00 00 72 11 5E 8F 51 56 40 D3

00060 : .E..Tr........JI D4 45 E6 BF 54 72 00 00 00 1A 0D BD 08 13 4A 49 00070 : ....abcdefghij 02 00 01 00 61 62 63 64 65 66 67 68 69 6A

  packet: 2003-01-18 15:49:36.001479 len=126 caplen=126
   alert: [sig.udp] BAD TRAFFIC udp port 0 traffic (sid=525.4 prio=3)
   linux: if33554432:unicast - 256
      ip: 81.86.64.211 > 212.69.230.191 ttl=114 proto=17 len=46
     udp: 21620 > 0 len=26 csum=0xdbb
Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
    data: Application layer data (18 bytes)
00000 : ............P.P. 01 00 00 00 2E 00 00 00 2E 00 00 00 50 00 50 00
00010 : .w)>............ 90 77 29 3E C7 05 00 00 00 00 00 00 00 00 00 00
00020 : ..............{. 11 00 08 00 02 00 00 00 01 00 00 06 00 09 7B C6
00030 : ................ A4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00040 : ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050 : E.......r.^.QV@. 45 00 00 2E 9D 0D 00 00 72 11 5E 83 51 56 40 D3

00060 : .E..Tt........JI D4 45 E6 BF 54 74 00 00 00 1A 0D BB 08 13 4A 49 00070 : ....abcdefghij 02 00 01 00 61 62 63 64 65 66 67 68 69 6A

-- 
// Gianni Tedesco (gianni at scaramanga dot co dot uk)
lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D

Received on Mon Jan 27 12:36:16 2003