[OT] UDP to port 1828 like crazy
Kourosh
mailscanner at MINDWARESYSTEMS.COM
Tue Mar 16 22:30:56 GMT 2004
On Tue, 2004-03-16 at 13:59, Michael St. Laurent wrote:
> shrek-m at gmx.de <mailto:shrek-m at GMX.DE> wrote:
> >> I'm seeing tons of network activity all UDP traffic to port 1828.
> >> Is this an indication of a virus?
> >
> > # lsof -Pi :1828
> >
> > # grep 1828 /etc/services /usr/share/nmap/nmap-services
> >
> > http://www.iana.org/assignments/port-numbers
> >
> > itm-mcell-u 1828/tcp itm-mcell-u
> > itm-mcell-u 1828/udp itm-mcell-u
>
> Yep, I got this far but could not figure out what software itm-mcell-u was
> referring to...
>
> > google ??
> > trojan virus backdoor dos port udp 1828
> >
> > http://berkeley.intel-research.net/bnc/snortsensor/rules.html
> > 1828 WEB-MISC iPlanet Search directory traversal attempt
>
> But I didn't find the iPlanet stuff.
>
> What is this? It says WEB-MISC so I'm assuming that it's not virus related.
> We're seeing about 200 packets per second on our network destined to
> 255.255.255.255 UDP Port 1828 each of which has a payload section of 256
> bytes.
>
> --
> Michael St. Laurent
> Hartwell Corporation
You could very well have an infected machine on the network. Do a
packet capture and see where the packets are coming from. Track down
the machine and take a look at what's running on it. That's really the
best way to find out.
--
Kourosh <mailscanner at mindwaresystems.com>
More information about the MailScanner
mailing list