Incident: 03-10-02 22:02pm

This is a second instance of a udp:5632 -- udp:22 probe I've seen; the other is at:

022402_udp_22_5632.html

Down below is a copy of the post I made to intrusions@incidents.org about this signature...

And here's part of an email response I got about my post... 

An excerpt (mildly edited) from a Symantec KB article:

 The pcAnywhere use of IP ports changes with the version of pcAnywhere
 used. Earlier versions used ports 22 (UDP) and 65301 (TCP). These
 ports were not registered. Beginning with version 7.5, pcAnywhere uses
 the ports 5631 (TCP) and 5632 (UDP).  These ports are registered with
 the Internet Assigned Numbers Authority (IANA). The following is a
 brief summary by version:

 pcAnywhere 9.2 and pcAnywhere 10.x use ports 5631 and 5632 only.
 pcANYWHERE32 8.0 and pcAnywhere 9.0 use ports 5631 and 5632, but it
 will fall back to  22 and 65301 if no hosts are found on 5631 or 5632.
 pcANYWHERE32 7.5 uses ports 5631 and 5632.
 pcANYWHERE32 7.0 uses ports 22 and 65301. pcANYWHERE 2.0 uses ports 22
 and 65301.

And sure enough, in http://www.neohapsis.com/neolabs/neo-ports/neo-ports.svcs: 

Adoresshd       22/tcp          #[trojan] Adore sshd
Shaft           22/tcp          #[trojan] Shaft
ssh             22/tcp          #SSH Remote Login Protocol
pcanywhere      22/udp          #PCAnywhere (deprecated)
ssh             22/udp          #SSH Remote Login Protocol

(And no more than 25 minutes after the first probe, he came baaack...)

Date: Sun, 10 Mar 2002 22:37:06 -0800
From: John Sage 
To: intrusions@incidents.org
Subject: New tool? udp:5632 and udp:22
User-Agent: Mutt/1.2.5i

This is the second time I've seen this specific pattern:

Security Violations
=-=-=-=-=-=-=-=-=-=-=
syslog/logcheck:

Mar 10 22:02:15 greatwall snort: [1:0:0] UDP to 5632 PCAnywherestat {UDP}
 12.82.132.121:3714 -> 12.82.132.33:5632
Mar 10 22:02:15 greatwall snort: [1:0:0] UDP to 22 ssh {UDP}
 12.82.132.121:3714 -> 12.82.132.33:22


ipchains:

Mar 10 22:02:15 greatwall kernel: Packet log: input DENY ppp0 PROTO=17
 12.82.132.121:3714 12.82.132.33:5632
 L=30 S=0x00 I=14022 F=0x0000 T=127 (#76)
Mar 10 22:02:15 greatwall kernel: Packet log: input DENY ppp0 PROTO=17
 12.82.132.121:3714 12.82.132.33:22
 L=30 S=0x00 I=14278 F=0x0000 T=127 (#65)


Note the same source port 3714 - probing first udp:5632, then udp:22


snort packet capture:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/10-22:02:15.209607 12.82.132.121:3714 -> 12.82.132.33:5632
UDP TTL:127 TOS:0x0 ID:14022 IpLen:20 DgmLen:30
Len: 10
4E 51                                            NQ 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
03/10-22:02:15.229603 12.82.132.121:3714 -> 12.82.132.33:22
UDP TTL:127 TOS:0x0 ID:14278 IpLen:20 DgmLen:30
Len: 10
4E 51                                            NQ 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



The previous event can be seen at:

http://www.finchhaven.com/pages/incidents/022402_udp_22_5632.html


host:

[toot@sparky ~/]# host 12.82.132.121
121.132.82.12.in-addr.arpa. domain name pointer 121.seattle-11-12rs.wa.dial-access.att.net


You'll note the IP address is almost identical to mine; this is the
little punk on a dialup who probes me and everybody else constantly;
most of the time he's playing around with SubSeven.

Think he's got a new toy?


- John
-- 
Most people don't type their own logfiles;  but, what do I care?

And no more than 25 minutes later, he's baaaack...

Security Violations
=-=-=-=-=-=-=-=-=-=
Mar 10 22:27:31 greatwall snort: [1:0:0] UDP to 5632 PCAnywherestat {UDP}
 12.82.132.121:3766 -> 12.82.132.33:5632
Mar 10 22:27:31 greatwall snort: [1:0:0] UDP to 22 ssh {UDP}
 12.82.132.121:3766 -> 12.82.132.33:22

Mar 10 22:27:31 greatwall kernel: Packet log: input DENY ppp0 PROTO=17
 12.82.132.121:3766 12.82.132.33:5632
 L=30 S=0x00 I=23040 F=0x0000 T=127 (#76)
Mar 10 22:27:31 greatwall kernel: Packet log: input DENY ppp0 PROTO=17
 12.82.132.121:3766 12.82.132.33:22
 L=30 S=0x00 I=23296 F=0x0000 T=127 (#65)

Same deal both times:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/10-22:02:15.209607 12.82.132.121:3714 -> 12.82.132.33:5632
UDP TTL:127 TOS:0x0 ID:14022 IpLen:20 DgmLen:30
Len: 10
4E 51                                            NQ 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
03/10-22:02:15.229603 12.82.132.121:3714 -> 12.82.132.33:22
UDP TTL:127 TOS:0x0 ID:14278 IpLen:20 DgmLen:30
Len: 10
4E 51                                            NQ 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
03/10-22:27:31.183411 12.82.132.121:3766 -> 12.82.132.33:5632
UDP TTL:127 TOS:0x0 ID:23040 IpLen:20 DgmLen:30
Len: 10
4E 51                                            NQ 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
03/10-22:27:31.223376 12.82.132.121:3766 -> 12.82.132.33:22
UDP TTL:127 TOS:0x0 ID:23296 IpLen:20 DgmLen:30
Len: 10
4E 51                                            NQ 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
jsage@finchhaven.com
Last modified: Tue Mar 12 20:02:56 2002