Discussion in 'other firewalls' started by Karl_Menshy, Sep 7, 2003.
Lots of hits on UDP port 84 lately (24h). Any explanations? Another worm maybe?
Can you post some logs on this. It'd be interesting to know what the distribution is across source IP addresses and the timing of the connection attempts. If you post a log, post everything available from the log except your own IP address.
>> Another worm maybe?
Perhaps, but not terribly likely. Most worm writers want to infect a large number of systems. To do so, they need to exploit a service that is likely to be running on a large number of systems, and which would present an open port to the Internet...
Port 84/udp appears to be assigned to the "common trace facility (ctf)" in the port lists, but this is not a very common service, (as far as I know), so it's unlikely to be running and exposed on many systems. If there is some new exploit related to ctf, then this would be a very specifically (narrowly) focused worm. (Maybe they're trying to exploit DEC OpenVMS systems running DTF. )
If the source IP's vary significantly in your logs, and the rate of hits are several every 5 to 10 minutes, then I'd say it's more likely that someone was trying to use this as a non-standard port for file sharing - maybe to get by ISP port blocks. If the source IP's are all the same or just a couple, then it could actually be ctf, and perhaps you recently picked up an IP address (if your's is dynamic) that was involved in some service related to this assigned purpose.
It might be interesting to capture a few packets to see what's in them.
If you don't have any utility to capture packets, here's a free tool you can use: PortPeeker. It's a very small download in a ZIP file. The application inside doesn't need to be installed, just extract and run it. Tell it to listen on the port and protocol you want and it'll start capturing packets which you can look at in the display window.
As LWM suggested, the only reference I could find for traffic on that service/port is Common Trace Facility. This is something usually associated with apps used to trouble shoot network problems.
Logs would help, and don't forget if you use port peeker or other capture utility, you will have to allow that traffic through your firewall.
Thanks all for the quick replies. I have no logs available at the moment and the phenomenon did not repeat after getting a new ip on the next log on, so I guess it was just some sort of filesharing etc. with uncommon ports. Got an unlucky IP .
No more hits on UDP 84 right now, so I cannot capture any packets, sorry . But I remember that the source ips changed constantly and hits occured about every other second.
The most interesting side effect was, that I didn't get any of the pings from the recent worms the same time...strange...
Again, thanks for your help.