LinuxSA Mailing list archives

Index: [thread] [date] [subject] [author]

  From: Alan Kennington <akenning@dog.topology.org>
  To  : LinuxSA <linuxsa@linuxsa.org.au>
  Date: Fri, 5 Nov 1999 19:09:33 +1030

UDP port 752 does what?

Question: What does UDP port 752 do?

I just had a couple of attacks over the net from
www.tigh.com (216.70.155.157).

It looked like it was all okay.
It was a fairly vigorous attack, though.
So I thought I'd take a look at the
packets with ethereal.
There was one thing that I didn't understand.

The attacker sent a UDP packet to my SuSE6.2
linux system at port 752.
And my system replied, even though UDP port
(and TCP port) 752 does not appear in /etc/services.

So I checked /proc/net/udp, and saw:

  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode

   9: 00000000:02F0 00000000:0000 07 00000000:00000000 00:00000000 00000000 0        0 127

This seems to show that root has the UDP port
02F0 (752) open.

Presumably all the sunrpc calls determined that there
was something at UDP port 752. But what is it?

Clues, anyone?

Regards,
Alan Kennington.

PS.  Here are some of the packets:

16:58:45.720000 www.tigh.com.623 > emu.topology.org.752: udp 1068 (ttl 48, id 43051)
                         4500 0448 a82b 0000 3011 0b3b d846 9b9d
                         cb26 9434 026f 02f0 0434 c200 3921 c0be
                         0000 0000 0000 0002 0001 86a5 0000 0001
                         0000 0001 0000 0000 0000 0000 0000 0000
                         0000 0000
16:58:50.650000 www.tigh.com.623 > emu.topology.org.752: udp 1068 (ttl 48, id 43528)
                         4500 0448 aa08 0000 3011 095e d846 9b9d
                         cb26 9434 026f 02f0 0434 c200 3921 c0be
                         0000 0000 0000 0002 0001 86a5 0000 0001
                         0000 0001 0000 0000 0000 0000 0000 0000
                         0000 0000
16:58:51.320000 emu.topology.org.752 > www.tigh.com.623: udp 28 (ttl 63, id 10666)
                         4500 0038 29aa 0000 3f11 7ecc cb26 9434
                         d846 9b9d 02f0 026f 0024 2d1a 3921 c0be
                         0000 0001 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 000d
16:58:51.320000 emu.topology.org.752 > www.tigh.com.623: udp 28 (ttl 63, id 10667)
                         4500 0038 29ab 0000 3f11 7ecb cb26 9434
                         d846 9b9d 02f0 026f 0024 2d1a 3921 c0be
                         0000 0001 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 000d

After this, they attacked the infamous 10752, which is where
they expect their newly installed worm-vector to respond from.
Does this maybe mean that the 752 UDP port listening 
process is an installed worm thing?

-- 
Check out the LinuxSA web pages at http://www.linuxsa.org.au/
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject

Index: [thread] [date] [subject] [author]

Return to the LinuxSA Mailing List Information Page