Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

UDP Ports 54929, 46304, 23010

Published: 2009-03-15
Last Updated: 2009-03-15 12:46:47 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)

Another reader, Tony W. was checking his logs for any activity referenced in Tony Carothers diary on UDP Port 21713.  What he found were the three ports UDP 54929, 46304 and 23010 all started being hit about the same time on his network.  When you look at the DShield graphs of these three, they are very similar to the trend on 21713.  Is there any coorelation?  I have no idea at this point.  However, while your checking your logs for 21713, look and see if these ports are showing up as well.  If anyone can get packet captures for any of these, that would be most helpful!

 

 

Keywords:
0 comment(s)

What's on your network?

Published: 2009-03-15
Last Updated: 2009-03-15 12:25:00 UTC
by Lorna Hutcheson (Version: 1)
3 comment(s)

I was looking though my Spam folder this evening to see if there was anything interesting in there.  Of course I found some of your "standard" phishing attempts that we have come to accept as "normal".  While looking at these I got to thinking about how some of them, just from viewing the email (if using html like many do), would serve you content pulled from websites you never clicked on.  In essence, unsolicited requests, would be leaving your network.  This led me to think about software that "phones home" and I realized it had been a while since I had heard about any. 

I thought I must be missing something, but sure enough my Google search turned up empty for anything in the last few months.  So now the real question comes to my mind.  Is that because there is nothing "phoning home" or is it because our networks are so large with so much traffic that no one knows what is on their network anymore?  I subscribe more toward the latter. I think majority of people (and their management) feel there is simply not enough time to figure out what all the traffic really is and they have tools to automate things so they don't have to know cause the tools do it all for them.

This really concerns me because software products are being released constantly.  How much testing really goes on for them?  How much hidden functionality really exists?  How do you know if your software is doing what it should do?  Egress filtering is more important than ever to securing your network.   Too often you find people know enough to get the software up and running but that is about it. 

So I have a couple questions I'd like to get feedback on:

  • Is there no software phoning home anymore or are we just missing it?
  • What steps do you take to ensure the software on your network is only talking to and doing what its documented to do?

 

Keywords:
3 comment(s)
Diary Archives