[GTER] Alerta: Pacotes udp desconhecido com volumes absurdos

Humberto Sartini humbertosartini at gmail.com
Tue Jan 4 09:16:56 -02 2005 

Olá

  Abaixo segue o link com mais informações:
  http://isc.sans.org/diary.php?date=2005-01-03

  E um pouco de tráfego para porta 42 (Wins):

01/04/2005 11:05:48.317571 200.173.110.131.4443 >
200.X.X.X.nameserver: . [tcp sum ok] 2368547765:2368547766(1) ack
112645303 win 17520 (DF) (ttl 117, id 31850, len 41)
0x0000	 4500 0029 7c6a 4000 7506 baa4 c8ad 6e83	E..)|j at .u.....n.
0x0010	 c8c3 cecb 115b 002a 8d2d 2bb5 06b6 d4b7	.....[.*.-+.....
0x0020	 5010 4470 aecd 0000 4800 0000 0000     	P.Dp....H.....

01/04/2005 11:06:34.321207 200.80.231.78.1042 > 200.X.X.X.nameserver:
. [tcp sum ok] 1105905868:1105905869(1) ack 109932366 win 17520 (DF)
(ttl 113, id 11666, len 41)
0x0000	 4500 0029 2d92 4000 7106 950e c850 e74e	E..)-. at .q....P.N
0x0010	 c8c3 cecb 0412 002a 41ea c8cc 068d 6f4e	.......*A.....oN
0x0020	 5010 4470 0f66 0000 9000 0000 0000     	P.Dp.f........

01/04/2005 11:07:48.424599 200.173.110.131.4443 >
200.X.X.X.nameserver: . [tcp sum ok] 0:1(1) ack 1 win 17520 (DF) (ttl
117, id 801, len 41)
0x0000	 4500 0029 0321 4000 7506 33ee c8ad 6e83	E..).!@.u.3...n.
0x0010	 c8c3 cecb 115b 002a 8d2d 2bb5 06b6 d4b7	.....[.*.-+.....
0x0020	 5010 4470 aecd 0000 4800 0000 0000     	P.Dp....H.....

01/04/2005 11:08:34.545658 200.80.231.78.1042 > 200.X.X.X.nameserver:
. [tcp sum ok] 0:1(1) ack 1 win 17520 (DF) (ttl 113, id 12249, len 41)
0x0000	 4500 0029 2fd9 4000 7106 92c7 c850 e74e	E..)/. at .q....P.N
0x0010	 c8c3 cecb 0412 002a 41ea c8cc 068d 6f4e	.......*A.....oN
0x0020	 5010 4470 0f66 0000 9000 0000 0000     	P.Dp.f........

01/04/2005 11:09:48.419638 200.173.110.131.4443 >
200.X.X.X.nameserver: . [tcp sum ok] 0:1(1) ack 1 win 17520 (DF) (ttl
117, id 37364, len 41)
0x0000	 4500 0029 91f4 4000 7506 a51a c8ad 6e83	E..).. at .u.....n.
0x0010	 c8c3 cecb 115b 002a 8d2d 2bb5 06b6 d4b7	.....[.*.-+.....
0x0020	 5010 4470 aecd 0000 4800 0000 0000     	P.Dp....H.....

01/04/2005 11:10:34.738316 200.80.231.78.1042 > 200.X.X.X.nameserver:
. [tcp sum ok] 0:1(1) ack 1 win 17520 (DF) (ttl 113, id 12828, len 41)
0x0000	 4500 0029 321c 4000 7106 9084 c850 e74e	E..)2. at .q....P.N
0x0010	 c8c3 cecb 0412 002a 41ea c8cc 068d 6f4e	.......*A.....oN
0x0020	 5010 4470 0f66 0000 9000 0000 0000     	P.Dp.f........

01/04/2005 11:11:48.393747 200.173.110.131.4443 >
200.X.X.X.nameserver: . [tcp sum ok] 0:1(1) ack 1 win 17520 (DF) (ttl
117, id 7260, len 41)
0x0000	 4500 0029 1c5c 4000 7506 1ab3 c8ad 6e83	E..).\@.u.....n.
0x0010	 c8c3 cecb 115b 002a 8d2d 2bb5 06b6 d4b7	.....[.*.-+.....
0x0020	 5010 4470 aecd 0000 4800 0000 0000     	P.Dp....H.....

-- 
[ ]'s
Humberto Sartini
http://web.onda.com.br/humberto

On Mon, 3 Jan 2005 22:14:41 -0200, Denny Roger <denny at batori.com.br> wrote:
> Prezados,
> 
> no dia 30 de dezembro de 2004 recebemos diversos chamados relacionados a
> ataques utilizando pacotes UDP.
> 
> Todas as máquinas que estavam (ou ainda estão) enviando pacotes UDP, estão
> com o sistema operacional Windows 2003 Server com DNS/WINS/AD. Tudo indica
> que a técnica está explorando o serviço de WINS.

More information about the gter mailing list