[Snort-users] Norton AntiVirus Client Installation Server
cpw at ...440...
Fri Jul 25 12:32:05 EDT 2003
If you have ever wanted to know what might be listening on udp port 38293
on your network, or, why you might see "scans" to it, then read on.
I believe the systems listening on this port are Windows clients of a
Nortan AntiVirus Client "server". The reason I am seeing probably more
than my share of scans from various servers around the Internet to port 38293
is that one of our networks is: 220.127.116.11 (which could be a bastardization
of 192.168.22.0 (one of the non-routable type address used for internal
The udp packets have the following properties:
IP total length: 44
IP Protocol: 17
UDP destination port: 38293
First 4 bytes of data: 0x020a00c0
Remaining bytes are one of two hex strings:
1. 4c445650 4869434d 00000000 0000: "LDVPHiCM..."
2. 4869434d 4869434d 00000000 0000: "HiCMHiCM..."
What cinched it for me was taking the source IP address of these packets
and seeing if it might be listening to port 80 [for me this trick sometimes
helps to understand an unresolvable IP address]. Lo and Behold:
=========== modified html ====================================================
[meta NAME="GENERATOR" Content="Microsoft Developer Studio"]
[meta HTTP-EQUIV="Content-Type" content="text/html; charset=iso-8859-1"]
[meta NAME="Copyright" Content="Copyright 2001 Symantec Corporation"]
[!-- Norton AntiVirus Client Installation --]
[!-- Copyright 2001 Symantec Corporation --]
[title]Norton AntiVirus Client Installation </title]
This browser does not support FRAMESET. Please use Internet
Explorer 4.0 or Higher.
If you need assistance, please contact your system administrator
or help desk staff.
I assume that most if not all of the symantec packets are benign, and the
inordanant number that I see is just the luck of the draw.
Phil Wood, cpw at ...440...
More information about the Snort-users