[Snort-users] UDP 1434

Steven Rudolph srudolph at ...4612...
Sat Jan 25 08:59:03 EST 2003


Major worm..
http://isc.incidents.org/analysis.html?id=180

	-----Original Message----- 
	From: jai [mailto:jai.s at ...6716...] 
	Sent: Sat 1/25/2003 10:50 AM 
	To: Â snort-users at lists.sourceforge.net; focus-ids at ...35...; vuln-dev at ...35...; Paul Marcus 
	Cc: snort-users at lists.sourceforge.net 
	Subject: Re: [Snort-users] UDP 1434
	
	

	Hi, 

	 Internet traffic of  INDIA's and ASIA's network has been effected 
	badly.....its amazing....seriously microsoft sucks.. 
	 but its fun !! :-) 

	Well i found something new in this ... i think this worm spoofs IP address 
	according ....below is the 
	tcpdump output ..out which the host is ....169.254.198.47. sending repeated 
	packets to different network... 
	but...169.254.198.47..is not our network....after matching th MAC address 
	..it was orginating ...from our IP i.e 
	202.71.129.197.. 

	tcpdump output : 

	20:56:28.016820 0:2:b3:2f:a4:95 1:0:5e:2d:b2:12 ip 418: 169.254.198.47.4041 
	> 224.173.178.1 
	8.ms-sql-m:  udp 376 [ttl 1] 
	                         4500 0194 8e94 0000 0111 26d7 a9fe c62f 
	                         e0ad b212 0fc9 059a 0180 2294 0401 0101 
	                         0101 0101 0101 0101 0101 0101 0101 0101 
	                         0101 0101 0101 0101 0101 0101 0101 0101 
	                         0101 0101 0101 0101 0101 0101 0101 0101 
	                         0101 
	20:56:28.016820 0:2:b3:2f:a4:95 1:0:5e:58:ed:71 ip 418: 169.254.198.47.4041 
	> reserved-mult 
	icast-range-NOT-delegated.example.com.ms-sql-m:  udp 376 [ttl 1] 
	                         4500 0194 8e95 0000 0111 e5cb a9fe c62f 
	                         e658 ed71 0fc9 059a 0180 e189 0401 0101 
	                         0101 0101 0101 0101 0101 0101 0101 0101 
	                         0101 0101 0101 0101 0101 0101 0101 0101 
	                         0101 0101 0101 0101 0101 0101 0101 0101 


	Router the MAC address .. 
	  Internet  202.71.129.197        157   0002.b32f.a495  ARPA 
	FastEthernet6/0 

	I am running snort ...but it didn't detect.... 

	Rgds 
	Jai 





	----- Original Message ----- 
	From: Paul Marcus <paulmarcus at ...468...> 
	To: jai <jai.s at ...6716...> 
	Cc: <Â snort-users at lists.sourceforge.net> 
	Sent: Saturday, January 25, 2003 8:20 PM 
	Subject: Re: [Snort-users] UDP 1434 


	> 
	http://forums.military.com/1/OpenTopic?a=tpc&s=78919038&f=409192893&m=455198 
	2416 
	> 
	> http://slashdot.org/articles/03/01/25/1245206.shtml?tid=109 
	> 
	> 
	> On Sat, 2003-01-25 at 06:49, jai wrote: 
	> > Hi, 
	> > 
	> > 
	> > I am getting very high traffic on UDP 1434 .... 
	> > 
	> > wht might be the problem 
	> > 
	> > Rgds 
	> > Jai 
	> 
	> 
	> 



	------------------------------------------------------- 
	This SF.NET email is sponsored by: 
	SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! 
	http://www.vasoftware.com 
	_______________________________________________ 
	Snort-users mailing list 
	Snort-users at lists.sourceforge.net 
	Go to this URL to change user options or unsubscribe: 
	https://lists.sourceforge.net/lists/listinfo/snort-users 
	Snort-users list archive: 
	http://www.geocrawler.com/redir-sf.php3?list=snort-users 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030125/b247880c/attachment.html>


More information about the Snort-users mailing list