Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

What?s up with 14323?

Published: 2008-04-09
Last Updated: 2008-04-10 18:02:45 UTC
by donald smith (Version: 2)
2 comment(s)

We had one reader submit a question with regards to lots of blocked traffic.
Most of the blocked traffic was towards 14323 and alternated between udp and tcp.
Some of the blocked traffic targeted 33435 too. I edited his logs slightly to protect the submitter’s identity and to eliminate some of the "duplicates". If you have additional information or packets please provide them via our contacts link.

Wed Apr 09 11:37:21 2008 Unrecognized attempt blocked from 91.122.128.9:11125 to victim’s_ip UDP:14323
Wed Apr 09 11:37:21 2008 Unrecognized attempt blocked from 91.122.128.9:11125 to victim’s_ip UDP:14323
Wed Apr 09 11:37:22 2008 Unrecognized attempt blocked from 91.122.128.9:11125 to victim’s_ip UDP:14323
Wed Apr 09 11:37:22 2008 Unrecognized attempt blocked from 91.122.128.9:11125 to victim’s_ip UDP:14323
Wed Apr 09 11:44:02 2008 Unrecognized attempt blocked from 91.122.52.114:3283 to victim’s_ip TCP:14323
Wed Apr 09 11:44:05 2008 Unrecognized attempt blocked from 91.122.52.114:3283 to victim’s_ip TCP:14323
Wed Apr 09 11:45:04 2008 Unrecognized attempt blocked from 78.60.140.172:19132 to victim’s_ip UDP:14323
Wed Apr 09 12:52:52 2008 Unrecognized attempt blocked from 66.35.46.201:11354 to victim’s_ip UDP:33435
Wed Apr 09 12:52:57 2008 Unrecognized attempt blocked from 66.35.46.201:11354 to victim’s_ip UDP:33435
Wed Apr 09 12:53:27 2008 Unrecognized attempt blocked from 78.60.140.172:19132 to victim’s_ip UDP:14323
Wed Apr 09 12:57:24 2008 Unrecognized attempt blocked from 122.162.33.190:21920 to victim’s_ip UDP:14323

 UPDATE

We have received several packets matching some of the IP addresses and ports listed above. They had very low TTLs so I think this is some sort of traceroute tool. I didn't believe it was before because the mix of TCP and UDP. Those are not normally used together in traceroute tools. I still do not know what tool created these but I do believe it is some sort of traceroute like tool.

Keywords:
2 comment(s)
Diary Archives