I''m getting a lot of hits on port 9032/udp--does anyone know what this is from? It''s getting a bit annoying--I''ve had 21K of these this week alone. I suspect it''s a file-sharing program like Kazaa, but I''d like to know for sure before I bring the hammer down on whoever''s doing it. A sample log message (actual IPs redacted): Dec 18 11:01:01 snowbird kernel: Shorewall:net2all:DROP:IN=eth0 OUTMAC=00:c0:4f:52:bc:bc:00:04:dd:6d:df:fd:08:00 SRC=A.B.C.D DST=W.X.Y.Z LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=2609 PROTO=UDP SPT=6346 DPT=9032 LEN=32 The source port and source IP are variable, but the destination port/protocol is always 9032/udp, and the payload (at least, I assume that''s what the second LEN field is) is always 32 bytes. I realize this is a bit off-topic, but I figured someone on the list would know the answer :) I''ve googled around a bit, and searched the SecurityFocus lists, without finding an answer. If you know of a better place to ask, or a good place to look for this sort of information, please let me know. - Bradey
It could of course be any thing, including return traffic - especially for games. For common default ports for most of the common "tools" and services try here: http://www.robertgraham.com/pubs/index.html or especially here: http://www.robertgraham.com/pubs/firewall-seen.html you may want to install ethereal to get better data on the traffic. Highly recommended: http://www.ethereal.com/ cheers On Wed, 2002-12-18 at 17:20, Bradey Honsinger wrote:> I''m getting a lot of hits on port 9032/udp--does anyone know what this is > from? It''s getting a bit annoying--I''ve had 21K of these this week alone. I > suspect it''s a file-sharing program like Kazaa, but I''d like to know for > sure before I bring the hammer down on whoever''s doing it. > > A sample log message (actual IPs redacted): > > Dec 18 11:01:01 snowbird kernel: Shorewall:net2all:DROP:IN=eth0 OUT> MAC=00:c0:4f:52:bc:bc:00:04:dd:6d:df:fd:08:00 SRC=A.B.C.D DST=W.X.Y.Z LEN=52 > TOS=0x00 PREC=0x00 TTL=106 ID=2609 PROTO=UDP SPT=6346 DPT=9032 LEN=32 > > The source port and source IP are variable, but the destination > port/protocol is always 9032/udp, and the payload (at least, I assume that''s > what the second LEN field is) is always 32 bytes. > > I realize this is a bit off-topic, but I figured someone on the list would > know the answer :) I''ve googled around a bit, and searched the SecurityFocus > lists, without finding an answer. If you know of a better place to ask, or a > good place to look for this sort of information, please let me know. > > - Bradey > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
--On Wednesday, December 18, 2002 09:28:47 PM -0500 dbmafox <dbmafox@comcast.net> wrote:> It could of course be any thing, including return traffic - especially > for games. >> >> The source port and source IP are variable, but the destination >> port/protocol is always 9032/udp, and the payload (at least, I assume >> that''s what the second LEN field is) is always 32 bytes. >>The constancy of the destination port suggests that this is not return traffic. Plus, with NetFilter''s "stateful inspection", unless return packets are very late in arriving or are corrupted (such that they are also logged by the ''logunclean'' option) then they shouldn''t be logged in the ''all2all'' chain (see FAQ 17). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
On Wed, 2002-12-18 at 18:29, dbmafox@comcast.net wrote:> It could of course be any thing, including return traffic - especially > for games.Like Tom said, I don''t think it''s return traffic--very few applications use a constant _source_ port, although it''s true that with UDP programmers can pretty much do whatever they want. I have port-scanned my internal network for machines with open 9032/udp ports, but I didn''t find anything.> For common default ports for most of the common "tools" and > services try here: > > http://www.robertgraham.com/pubs/index.html > > or especially here: > > http://www.robertgraham.com/pubs/firewall-seen.htmlThanks for the pointers--I did check there first (I probably got that link from this list originally :). Mr. Graham doesn''t list 9032/udp, but he concentrates mainly on well-known ports and trojans, so I''m not surprised that it''s not there.> you may want to install ethereal to get better data on the traffic. > Highly recommended: http://www.ethereal.com/That''s a good idea--I''d rather not run ethereal on my firewall, but I could run tcpdump for a while and use ethereal to grep through the dumps. Of course, even having tcpdump on my firewall makes me a little uncomfortable, but one can only be so paranoid. I may also try running suspected P2P clients at home, where I''m also running Shorewall, to see what firewall hits I get. - BradeyI may also try running suspected P2P clients at home, where I''m also running Shorewall, to see what firewall hits I get. - Bradey
A search for "port 9032 UDP" on Google comes up with several hits that could be the reason. - Worldcom Telex - Systech Port Server - Consors Watchlist ... streaming stock quote thing, I think - Junos Internet Software - Colin
On Thursday, December 19, 2002 1:41 PM, Colin Viebrock wrote:> A search for "port 9032 UDP" on Google comes up with several hits that > could be the reason. > > - Worldcom Telex > - Systech Port Server > - Consors Watchlist ... streaming stock quote thing, I think > - Junos Internet SoftwareIt turned out to be Kazaa, as I suspected--at least, I tracked down the Kazaa user and banged him on the head, and I haven''t seen another 9032/udp hit since. - Bradey
Le Ven 20 Décembre 2002 19:22, Bradey Honsinger a écrit :> It turned out to be Kazaa, as I suspected--at least, I tracked down the > Kazaa user and banged him on the head, and I haven''t seen another 9032/udp > hit since.I have similar problems some days, what is the way to "bang those guys on the head"? Thanks, -- Philippe Berini PGP Key: http://pypm.nerim.net/phb.asc
On 20 Dec 2002 at 20:27, Philippe Berini wrote:> Le Ven 20 D=E9cembre 2002 19:22, Bradey Honsinger a =E9crit : > > > It turned out to be Kazaa, as I suspected--at least, I trackeddown> > the Kazaa user and banged him on the head, and I haven''t seen > > another 9032/udp hit since. > > I have similar problems some days, what is the way to "bang thoseguys> on the head"? > > Thanks,Perhaps we should ask Tom for another action code, ACCEPT DROP REJECT or BANG ;-) ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386_______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/