LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Massive UDP traffic on port 62997
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-29-2009, 09:35 PM   #1
Ejaz
LQ Newbie
 
Registered: Jun 2009
Posts: 1

Rep: Reputation: 0
Unhappy Massive UDP traffic on port 62997

Hi,
During recent days I recieved a massive increase in UDP traffi con port 62997. Interestingly all the traffic is directed to single destination machine whose IP address is x.x.x.221. All of the traffic has 110 byte payload. The traffic is nomraly from small number of sources all from china and they use large number of source ports. The sample payload is given below:

0000 6a 00 00 00 00 32 00 01 01 00 00 06 00 00 15 00 j....2..........
0010 00 00 31 e9 0d 41 74 a1 3c 01 dd d0 2f 32 33 09 ..1..At.<.../23.
0020 3a 01 a8 c0 f6 15 00 01 00 04 00 00 00 1f 27 00 :.............'.
0030 00 02 00 15 00 00 00 55 d1 0d ae 69 a1 3c 01 dd .......U...i.<..
0040 cf b5 83 15 f6 50 01 a8 c0 f6 15 00 04 00 04 00 .....P..........
0050 00 00 09 00 00 00 05 00 08 00 00 00 26 e1 0d 7b ............&..{
0060 70 a1 3c 01 06 00 04 00 00 00 00 00 00 00 p.<...........


A similar behavir is observed on port 6660 which is used by the IRC. Same destination address and destination port was targeted. One similar activity is observed on ports 13000-14000, with same destination address being targeted. However in this case large number of sources have been observed again all from China. Any insight into this matter will be highly appreciated.

Cheers,
Ejaz
 
Old 07-01-2009, 06:01 AM   #2
nowonmai
Member
 
Registered: Jun 2003
Posts: 481

Rep: Reputation: 48
It's possible you're part of a botnet... part of the Command & Control structure by the sounds of it. Are you running an IRC server? Is it fully patched?
What services have you got listening? Do netstat -pan to see a list.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[HELP] redirect traffic to spesific port based on Traffic Content using iptables summersgone Linux - Server 2 06-22-2009 11:26 AM
kernel and multicast udp traffic zeebu Linux - Networking 5 06-02-2007 09:22 AM
Massive UPD traffic from one host ? ivanatora Linux - Networking 14 05-19-2005 01:02 PM
port 62997 open epoo Linux - Networking 2 10-25-2004 03:31 PM
Linux and inbound UDP traffic Dwarflord Linux - Networking 4 04-16-2004 01:35 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:13 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration