LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-16-2006, 11:03 PM   #1
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Rep: Reputation: 30
udp on port 5005


I'm getting this log targetted as DOS by my router
Code:
Jul 16 23:09:20 netgear UDP Packet - Source:x.x.x.27,3479 Destination:192.168.0.2,5005 - [DOS]
Jul 16 23:09:20 netgear UDP Packet - Source:x.x.x.22,3478 Destination:192.168.0.2,5005 - [DOS]
Jul 16 23:09:20 netgear UDP Packet - Source:x.x.x.27,3479 Destination:192.168.0.2,5005 - [DOS]
Jul 16 23:09:20 netgear UDP Packet - Source:x.x.x..22,3478 Destination:192.168.0.2,5005 - [DOS]
Jul 16 23:09:20 netgear UDP Packet - Source:x.x.x.27,3479 Destination:192.168.0.2,5005 - [DOS]
Jul 16 23:09:20 netgear UDP Packet - Source:x.x.x.22,3478 Destination:192.168.0.2,5005 - [DOS]
Jul 16 23:09:20 netgear UDP Packet - Source:x.x.x.27,3479 Destination:192.168.0.2,5005 - [DOS]
Jul 16 23:09:20 netgear UDP Packet - Source:x.x.x.27,3479 Destination:192.168.0.2,5005 - [DOS]
Jul 16 23:09:20 netgear UDP Packet - Source:x.x.x.22,3478 Destination:192.168.0.2,5005 - [DOS]
Jul 16 23:09:20 netgear UDP Packet - Source:x.x.x.27,3479 Destination:192.168.0.2,5005 - [DOS]
Jul 16 23:09:20 netgear UDP Packet - Source:x.x.x.22,3478 Destination:192.168.0.2,5005 - [DOS]
Jul 16 23:09:20 netgear UDP Packet - Source:x.x.x.27,3479 Destination:192.168.0.2,5005 - [DOS]
Jul 16 23:09:20 netgear UDP Packet - Source:x.x.x.22,3478 Destination:192.168.0.2,5005 - [DOS]
Jul 16 23:09:20 netgear UDP Packet - Source:x.x.x.27,3479 Destination:192.168.0.2,5005 - [DOS]
Jul 16 23:09:21 netgear UDP Packet - Source:x.x.x.22,3478 Destination:192.168.0.2,5005 - [DOS]
Jul 16 23:09:21 netgear UDP Packet - Source:x.x.x.27,3479 Destination:192.168.0.2,5005 - [DOS]
Jul 16 23:09:21 netgear UDP Packet - Source:x.x.x.22,3478 Destination:192.168.0.2,5005 - [DOS]
Jul 16 23:09:21 netgear UDP Packet - Source:x.x.x.27,3479 Destination:192.168.0.2,5005 - [DOS]
Jul 16 23:09:21 netgear UDP Packet - Source:x.x.x.22,3478 Destination:192.168.0.2,5005 - [DOS]
The source ip change in the last octet ... they are hitting port 5005 udp .
I would like a clue on udp scan and on port 5005
cheers
 
Old 07-17-2006, 12:26 AM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
From my FC box:
Code:
[anomie@fc ~]$ grep '5005' /etc/services 
avt-profile-2   5005/tcp                        # avt-profile-2
avt-profile-2   5005/udp                        # avt-profile-2
So add that guy's network to your deny list (at the router level or Linux box level).
 
Old 07-17-2006, 01:14 AM   #3
lnxconvrt
Member
 
Registered: Mar 2002
Location: Houston
Distribution: FC3, Manrake 10.x, various others at times
Posts: 113

Rep: Reputation: 18
Doing a little Googling, it seems that RTP (Real Time Protocol) also can use 5005 udp, and can be a trojan program. Apparently RTP is used by VOIP programs.

In any case, if you don't run any service on port 5005, and only allow the outside world to access ports that you specify, it is probably not something that you need to worry about.
 
Old 07-17-2006, 08:38 PM   #4
Russell Griffiths
LQ Newbie
 
Registered: May 2006
Location: Sydney, Australia
Distribution: Red Hat 7.3
Posts: 27

Rep: Reputation: 15
Gabsik

I get the same thing on various ports .. every day .. all day.

It's a basic DDOS (Distributed Denial of Service Attack)on your (and my) router. These things proliferate around the world as viruses that infect many computers(hence, distributed,)and you get floods of UDP packets to your IP address looking for a respose from random ports.

My reports look the same as yours .. here's a two-day grab sample, showing the different ports being the target.

If you want to see what programs (if any) use those ports, you can check at this site ..
http://www.iss.net/security_center/a...xploits/Ports/
and of course on Linux, there's a file named 'services' in your /etc directory, which shows what TCP and UDP ports are in use, or exposed on your system. If the attack is directed at one of your active ports, (eg you are runninga web-exposed server)then you are in trouble indeed!

As long as your firewall is blocking them all, as it seems to be, the only probs are ..
a) that your router/firewall is 'busy' reading, then denying, all these packets, and is thus sometimes too busy to service your legitimate traffic. This is what constitues the 'denial of service' attack. Flood your router so you can't get any effective use of it, and of course ..
b) the fact that you are paying, by the megabyte, in most cases, for 'download traffic' on your connection. So these guys are 'spinning your dials' on the meter, for no benefit to you.
Sometimes I think ISP's themselves run this sh*t to keep the bills mounting.

2 examples from my logs
Hope this has been helpful

Grif

Tue, 2006-07-11 09:59:09 - UDP Packet - Source:24.46.129.172,10062 Destination:203.206.166.56,24586 - [DOS]
Tue, 2006-07-11 09:59:09 - UDP Packet - Source:80.212.58.81,6346 Destination:203.206.166.56,24586 - [DOS]
Tue, 2006-07-11 09:59:09 - UDP Packet - Source:68.116.145.169,5365 Destination:203.206.166.56,24586 - [DOS]
Tue, 2006-07-11 09:59:09 - UDP Packet - Source:216.139.124.68,19185 Destination:203.206.166.56,24586 - [DOS]

Fri, 2006-07-14 07:30:23 - UDP Packet - Source:70.18.188.18,50985 Destination:203.206.166.56,6140 - [DOS]
Fri, 2006-07-14 07:30:24 - UDP Packet - Source:24.94.216.254,13945 Destination:203.206.166.56,6140 - [DOS]
Fri, 2006-07-14 07:30:24 - UDP Packet - Source:196.27.90.123,33046 Destination:203.206.166.56,6140 - [DOS]
Fri, 2006-07-14 07:30:25 - UDP Packet - Source:139.168.234.122,63371 Destination:203.206.166.56,6140 - [DOS]
 
Old 07-18-2006, 12:12 AM   #5
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Original Poster
Rep: Reputation: 30
They often take my router down :
Code:
Jul 18 05:03:33 argo Tcp_WinWorms: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=87.11.179.94 DST=192.168.0.2 LEN=48 TOS=00 PREC=0x00 TTL=122 ID=13435 DF PROTO=TCP SPT=1074 DPT=139 SEQ=1654734241 ACK=0 WINDOW=64800 SYN URGP=0
Jul 18 05:03:33 argo NOPASSARAN: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=87.11.179.94 DST=192.168.0.2 LEN=48 TOS=00 PREC=0x00 TTL=122 ID=13435 DF PROTO=TCP SPT=1074 DPT=139 SEQ=1654734241 ACK=0 WINDOW=64800 SYN URGP=0
Jul 18 05:03:34 argo Tcp_WinWorms: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=87.11.105.249 DST=192.168.0.2 LEN=48 TOS=00 PREC=0x00 TTL=121 ID=63999 CE DF PROTO=TCP SPT=3406 DPT=135 SEQ=240838738 ACK=0 WINDOW=16384 SYN URGP=0
Jul 18 05:03:34 argo NOPASSARAN: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=87.11.105.249 DST=192.168.0.2 LEN=48 TOS=00 PREC=0x00 TTL=121 ID=63999 CE DF PROTO=TCP SPT=3406 DPT=135 SEQ=240838738 ACK=0 WINDOW=16384 SYN URGP=0
A solution ?Why not tarpit them ... !?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
telneting to a udp port. juanb Linux - Security 3 03-06-2013 02:30 PM
UDP port 5353 WannaLearnLinux Linux - Security 17 05-05-2011 02:26 PM
Port Tcp/udp rlnd Linux - Networking 1 06-11-2006 02:05 PM
closing port 68/udp? antik Linux - Security 1 09-26-2003 01:26 PM
How do I open up a UDP port? Dirt Linux - Networking 9 06-06-2003 06:50 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration