[Snort-users] Norton AntiVirus Client Installation Server

Phil Wood cpw at ...440...
Fri Jul 25 12:32:05 EDT 2003


Folks,

If you have ever wanted to know what might be listening on udp port 38293
on your network, or, why you might see "scans" to it, then read on.  

I believe the systems listening on this port are Windows clients of a 
Nortan AntiVirus Client "server".  The reason I am seeing probably more
than my share of scans from various servers around the Internet to port 38293
is that one of our networks is: 192.16.22.0 (which could be a bastardization
of 192.168.22.0 (one of the non-routable type address used for internal
networks).

The udp packets have the following properties:

  IP total length: 44
  IP Protocol: 17
  UDP destination port: 38293
  First 4 bytes of data: 0x020a00c0
  Remaining bytes are one of two hex strings:
    1. 4c445650  4869434d  00000000 0000: "LDVPHiCM..."
    2. 4869434d  4869434d  00000000 0000: "HiCMHiCM..."

What cinched it for me was taking the source IP address of these packets
and seeing if it might be listening to port 80 [for me this trick sometimes
helps to understand an unresolvable IP address].  Lo and Behold:

=========== modified html ====================================================
  [html]
  [head]
  [meta NAME="GENERATOR" Content="Microsoft Developer Studio"]
  
  [meta HTTP-EQUIV="Content-Type" content="text/html; charset=iso-8859-1"]
  [meta NAME="Copyright" Content="Copyright 2001 Symantec Corporation"]
  
  [!-- Norton AntiVirus Client Installation --]
  [!-- Copyright 2001 Symantec Corporation --]
  
  [title]Norton AntiVirus Client Installation </title]
  [/head]
  
      [frameset COLS="100%,*"]
          [frame SRC="OSCheck.htm"]
  
      [/frameset]
  
      [noframes]
          [b]
              This browser does not support FRAMESET. Please use Internet
              Explorer 4.0 or Higher.
              If you need assistance, please contact your system administrator
              or help desk staff.
          [/b]
      [/noframes]
  
  [/html]
==============================================================================

I assume that most if not all of the symantec packets are benign, and the 
inordanant number that I see is just the luck of the draw.

Later,

Phil
-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list