What?s up with 14323?
We had one reader submit a question with regards to lots of blocked traffic.
Most of the blocked traffic was towards 14323 and alternated between udp and tcp.
Some of the blocked traffic targeted 33435 too. I edited his logs slightly to protect the submitter’s identity and to eliminate some of the "duplicates". If you have additional information or packets please provide them via our contacts link.
Wed Apr 09 11:37:21 2008 Unrecognized attempt blocked from 91.122.128.9:11125 to victim’s_ip UDP:14323
Wed Apr 09 11:37:21 2008 Unrecognized attempt blocked from 91.122.128.9:11125 to victim’s_ip UDP:14323
Wed Apr 09 11:37:22 2008 Unrecognized attempt blocked from 91.122.128.9:11125 to victim’s_ip UDP:14323
Wed Apr 09 11:37:22 2008 Unrecognized attempt blocked from 91.122.128.9:11125 to victim’s_ip UDP:14323
Wed Apr 09 11:44:02 2008 Unrecognized attempt blocked from 91.122.52.114:3283 to victim’s_ip TCP:14323
Wed Apr 09 11:44:05 2008 Unrecognized attempt blocked from 91.122.52.114:3283 to victim’s_ip TCP:14323
Wed Apr 09 11:45:04 2008 Unrecognized attempt blocked from 78.60.140.172:19132 to victim’s_ip UDP:14323
Wed Apr 09 12:52:52 2008 Unrecognized attempt blocked from 66.35.46.201:11354 to victim’s_ip UDP:33435
Wed Apr 09 12:52:57 2008 Unrecognized attempt blocked from 66.35.46.201:11354 to victim’s_ip UDP:33435
Wed Apr 09 12:53:27 2008 Unrecognized attempt blocked from 78.60.140.172:19132 to victim’s_ip UDP:14323
Wed Apr 09 12:57:24 2008 Unrecognized attempt blocked from 122.162.33.190:21920 to victim’s_ip UDP:14323
UPDATE
We have received several packets matching some of the IP addresses and ports listed above. They had very low TTLs so I think this is some sort of traceroute tool. I didn't believe it was before because the mix of TCP and UDP. Those are not normally used together in traceroute tools. I still do not know what tool created these but I do believe it is some sort of traceroute like tool.
ISC Podcast Episode Number 2
Hey everyone, just to let you know we put out Episode 2 of the Internet Storm Center podcast today, as always available on iTunes: http://phobos.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=276609412 as well as on our website here: http://isc.sans.org/podcast.xml. The audio is getting better as I am getting better with Garageband. ;)
We discuss the hottest news from the past two weeks of the Internet Storm Center diaries, as well as our Microsoft "Reboot Wednesday" commentary on Microsoft's Tuesday's patches.
Also like to thank Paul and Larry of Pauldotcom's podcast for mentioning us! We appreciate it!
Joel Esler
Critical vulnerabilities in Adobe Flash Player
Adobe has released a security bulletin today, APSB08-11, to address multiple vulnerabilities in Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier, that could lead to the potential execution of arbitrary code remotely. Additionally the update includes DNS rebinding attack and cross-domain policy countermeasures.
It is strongly recommended to update to the newest Adobe Flash Player version, 9.0.124.0!
Please, check your current Adobe Flash Player version on the "about" page (before and after applying the update), and run the test with all your Web browsers, such as IE (ActiveX control), Firefox and Safari. Each browser may have access to a different version and require a separate installation method. Specific instructions to update each OS and/or browser are available here, and remember you may require administrative access to your computer and restart your browser.
If you are a developer, check Adobe's warning about potential compatibility issues introduced by this update:
Due to the possibility that these security enhancements and changes may impact existing Flash content, content developers are advised to review this March 2008 Adobe Developer Center article to determine if the changes will affect their content, and to begin implementing necessary changes immediately to help ensure a seamless transition.
CVE's: CVE-2007-5275, CVE-2007-6243, CVE-2007-6637, CVE-2007-6019, CVE-2007-0071, CVE-2008-1655, CVE-2008-1654
--
Raul Siles
www.raulsiles.com
Comments