[Emerging-Sigs] observation on 2008041 and 2008042

[Jack Pepper]

the machines that hit on 2008041 or 2008042 *also* have this  
interesting looking UDP traffic:

12:46:09.878059 IP 172.16.1.35.2087 > 65.31.211.35.3533: UDP, length 292
         0x0000:  4500 0140 49d7 0000 8011 2e60 ac10 0123  E.. at I......`...#
         0x0010:  411f d323 0827 0dcd 012c ec6f ef81 c3a2  A..#.'...,.o....
         0x0020:  0000 5e65 1fb7 27da b2ac a13e 7aee cf09  ..^e..'....>z...
         0x0030:  acf8 3f5e d2a5 0eb2 6d6c 8e95 43ea 11f1  ..?^....ml..C...
         0x0040:  023b 6f24 c7a8 9d28 db45 b88c 0711 dd03  .;o$...(.E......
12:46:09.878063 IP 172.16.1.35.2087 > 70.129.226.182.4002: UDP, length 292
         0x0000:  4500 0140 49d8 0000 8011 196a ac10 0123  E.. at I......j...#
         0x0010:  4681 e2b6 0827 0fa2 012c 3658 f688 666e  F....'...,6X..fn
         0x0020:  0000 58a8 c518 44b5 8477 49ac c3dd 6270  ..X...D..wI...bp
         0x0030:  0854 a37c d11d 61c9 f8b9 7b72 4729 faf4  .T.|..a...{rG)..
         0x0040:  c45c 204a 3034 6ffb c646 1e13 eeb2 7656  .\.J04o..F....vV
12:46:09.878355 IP 172.16.1.35.2087 > 69.149.164.155.60199: UDP, length 292
         0x0000:  4500 0140 49d9 0000 7f11 5970 ac10 0123  E.. at I.....Yp...#
         0x0010:  4595 a49b 0827 eb27 012c 7b82 9bb7 b8d7  E....'.'.,{.....
         0x0020:  0000 6731 f772 e410 6b7b bdb2 b8ca accf  ..g1.r..k{......
         0x0030:  4060 7edc cbc6 b22b 75cf b379 f128 35ef  @`~....+u..y.(5.
         0x0040:  3b61 d55f 2f0d fb3e bebb a413 c29d 7029  ;a._/..>......p)
12:46:09.878360 IP 172.16.1.35.2087 > 69.149.164.155.60199: UDP, length 292
         0x0000:  4500 0140 49d9 0000 8011 5870 ac10 0123  E.. at I.....Xp...#
         0x0010:  4595 a49b 0827 eb27 012c 7b82 9bb7 b8d7  E....'.'.,{.....
         0x0020:  0000 6731 f772 e410 6b7b bdb2 b8ca accf  ..g1.r..k{......
         0x0030:  4060 7edc cbc6 b22b 75cf b379 f128 35ef  @`~....+u..y.(5.
         0x0040:  3b61 d55f 2f0d fb3e bebb a413 c29d 7029  ;a._/..>......p)


always 292 bytes.  All the remotes appear to be dialup or DSL.   
anybody else seeing this?

jp
-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com