Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: What’s up with 14323? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What’s up with 14323?

We had one reader submit a question with regards to lots of blocked traffic.
Most of the blocked traffic was towards 14323 and alternated between udp and tcp.
Some of the blocked traffic targeted 33435 too. I edited his logs slightly to protect the submitter’s identity and to eliminate some of the "duplicates". If you have additional information or packets please provide them via our contacts link.

Wed Apr 09 11:37:21 2008 Unrecognized attempt blocked from 91.122.128.9:11125 to victim’s_ip UDP:14323
Wed Apr 09 11:37:21 2008 Unrecognized attempt blocked from 91.122.128.9:11125 to victim’s_ip UDP:14323
Wed Apr 09 11:37:22 2008 Unrecognized attempt blocked from 91.122.128.9:11125 to victim’s_ip UDP:14323
Wed Apr 09 11:37:22 2008 Unrecognized attempt blocked from 91.122.128.9:11125 to victim’s_ip UDP:14323
Wed Apr 09 11:44:02 2008 Unrecognized attempt blocked from 91.122.52.114:3283 to victim’s_ip TCP:14323
Wed Apr 09 11:44:05 2008 Unrecognized attempt blocked from 91.122.52.114:3283 to victim’s_ip TCP:14323
Wed Apr 09 11:45:04 2008 Unrecognized attempt blocked from 78.60.140.172:19132 to victim’s_ip UDP:14323
Wed Apr 09 12:52:52 2008 Unrecognized attempt blocked from 66.35.46.201:11354 to victim’s_ip UDP:33435
Wed Apr 09 12:52:57 2008 Unrecognized attempt blocked from 66.35.46.201:11354 to victim’s_ip UDP:33435
Wed Apr 09 12:53:27 2008 Unrecognized attempt blocked from 78.60.140.172:19132 to victim’s_ip UDP:14323
Wed Apr 09 12:57:24 2008 Unrecognized attempt blocked from 122.162.33.190:21920 to victim’s_ip UDP:14323

donald

206 Posts
ISC Handler
I'm also observing traffic on 33437/UDP. There's a chance that this traffic isn't associated with this diary entry, but the source IP resolves to hi.pnap.net. Most of the traffic I'm observing regarding the reported ports are coming from pnap.net.
Ron

29 Posts
I'm also observing traffic on 33437/UDP. There's a chance that this traffic isn't associated with this diary entry, but the source IP resolves to hi.pnap.net. Most of the traffic I'm observing regarding the reported ports are coming from pnap.net.
Ron

29 Posts

Sign Up for Free or Log In to start participating in the conversation!