Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Call for packets TCP/UDP port 48318 SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Call for packets TCP/UDP port 48318

One of our readers wrote in to tell us that they are experiencing alot of traffic on TCP port 48318.  They even sent us a pcap of the traffic so we could take a look.  Unfortunately the pcap only contained inbound SYN packets, and outbound RST packets.  

The Source IP's were from totally different countries, and unique in makeup.  Some packets could be from Windows Machines, (judging from TTL, options..etc) and some don't appear to be.

Taking a look at our port graph here...



Clearly we have something going on.

So we need some packets.  Don?t bother sending us just SYN packets, we?re going to need at least some 3 way-handshake stuff. 

Now.  We are NOT telling you to allow this port through the firewall, lets just get that straight.  But if you were in an operational environment where you may be allowed to get us a dump of the traffic with PERMISSION, then that would be great.

Joel Esler

Joel

454 Posts
Nov 3rd 2006

Sign Up for Free or Log In to start participating in the conversation!