Incident: 02-24-02 11:46am

Multiple, simultaneous probes to an unusual combination: udp:22 and udp:5632

This is interesting: same source IP, 12.82.137.244, same source port, 3243, same payload -- hex 4E 51, dec NQ, to udp port 5632:PCAnywhereStat and then to udp 22:ssh, .029959 sec apart.


That was my comment when I first saw this; here's a portion of an email I got after I posted the second incident to intrusions@incidents.org:

An excerpt (mildly edited) from a Symantec KB article:

 The pcAnywhere use of IP ports changes with the version of pcAnywhere
 used. Earlier versions used ports 22 (UDP) and 65301 (TCP). These
 ports were not registered. Beginning with version 7.5, pcAnywhere uses
 the ports 5631 (TCP) and 5632 (UDP).  These ports are registered with
 the Internet Assigned Numbers Authority (IANA). The following is a
 brief summary by version:

 pcAnywhere 9.2 and pcAnywhere 10.x use ports 5631 and 5632 only.
 pcANYWHERE32 8.0 and pcAnywhere 9.0 use ports 5631 and 5632, but it
 will fall back to  22 and 65301 if no hosts are found on 5631 or 5632.
 pcANYWHERE32 7.5 uses ports 5631 and 5632.
 pcANYWHERE32 7.0 uses ports 22 and 65301. pcANYWHERE 2.0 uses ports 22
 and 65301.

So apparently this may be an older version of PCAnywhere...

...but I'm still a little suspicious!


The raw logs from /var/logs/messages:


Feb 24 11:51:04 greatwall snort: [1:0:0] UDP to 5632 PCAnywherestat {UDP}
 12.82.137.244:3243 -> 12.82.137.151:5632
Feb 24 11:51:04 greatwall snort: [1:0:0] UDP to 22 ssh {UDP}
 12.82.137.244:3243 -> 12.82.137.151:22
Feb 24 11:51:04 greatwall kernel: Packet log: input DENY ppp0 PROTO=17
 12.82.137.244:3243 12.82.137.151:5632
 L=30 S=0x00 I=51761 F=0x0000 T=127 (#76)
Feb 24 11:51:04 greatwall kernel: Packet log: input DENY ppp0 PROTO=17
 12.82.137.244:3243 12.82.137.151:22
 L=30 S=0x00 I=52017 F=0x0000 T=127 (#65)

And a more formatted rendition:


Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
snort:
Feb 24 11:51:04 greatwall snort: [1:0:0] UDP to 5632 PCAnywherestat {UDP}
 12.82.137.244:3243 -> 12.82.137.151:5632

ipchains:
Feb 24 11:51:04 greatwall kernel: Packet log: input DENY ppp0 PROTO=17
 12.82.137.244:3243 12.82.137.151:5632
 L=30 S=0x00 I=51761 F=0x0000 T=127 (#76)

snort packet dump:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/24-11:51:04.223376 12.82.137.244:3243 -> 12.82.137.151:5632
UDP TTL:127 TOS:0x0 ID:51761 IpLen:20 DgmLen:30 Len: 10

4E 51                                            NQ

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
snort:
Feb 24 11:51:04 greatwall snort: [1:0:0] UDP to 22 ssh {UDP}
 12.82.137.244:3243 -> 12.82.137.151:22

ipchains:
Feb 24 11:51:04 greatwall kernel: Packet log: input DENY ppp0 PROTO=17
 12.82.137.244:3243 12.82.137.151:22
 L=30 S=0x00 I=52017 F=0x0000 T=127 (#65)

snort packet dump:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/24-11:51:04.253335 12.82.137.244:3243 -> 12.82.137.151:22
UDP TTL:127 TOS:0x0 ID:52017 IpLen:20 DgmLen:30 Len: 10

4E 51                                            NQ

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


host:
[toot@sparky /storage/snort/old_snorts/022402]# host 12.82.137.244
244.137.82.12.in-addr.arpa. domain name pointer 244.seattle-23-24rs.wa.dial-access.att.net.


BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

Request: 12.82.137.244
connecting to whois.arin.net [63.146.182.182:43] ...

AT&T ITS (NET-ATT)
   200 Laurel Avenue South
   Middletown, NJ 07748
   US    

Netname: ATT
   Netblock: 12.0.0.0 - 12.255.255.255
   Maintainer: ATTW    

Coordinator:
      Kostick, Deirdre  (DK71-ARIN)  help@IP.ATT.NET
      (888)613-6330    

Domain System inverse mapping provided by: 
   DBRU.BR.NS.ELS-GMS.ATT.NET199.191.128.106
   DMTU.MT.NS.ELS-GMS.ATT.NET12.127.16.70
   CBRU.BR.NS.ELS-GMS.ATT.NET199.191.128.105
   CMTU.MT.NS.ELS-GMS.ATT.NET12.127.16.69


jsage@finchhaven.com
Last modified: Tue Mar 12 20:07:37 2002