WTF is so special about port 34442 (Weird Wireless Access Point Question)
So restarted my wireless access point today for the first time in a few weeks seemed a little more sluggesh than usual (I have a really crappy ISP at home) so decided to do a little packet sniffing. However to my astonishment the only anomally seems to be from my access point firing a UDP packet every few seconds to the local broadcast address on port 34442. This has never happened before, never seen it before on this or any other access point. And it only has happened since my last restart.
Can anyone enlighten me on it?
The packets are more or less the same with the only noticable difference being bytes 0x29 and 0x2A (in the data frame) counting down and bytes 0x3A and 0x3B (again in the data frame) counting up.
So again I ask can anyone enlighten me on this or is it a countdown/up to a moment of perpetual doom?
Port number: 34442
Common name(s): client-port on Red Hat Linux 9.0, Fedora Core 1, Red Hat Enterprise 3
Common service(s): client
Service description(s): Outgoing client connections from systems.
Common server(s): RPC based services, Windows Messaging Service.
Common client(s): All client software (SSH, Web clients, etc.)
Common problem(s): Insecure client software
Encrypted options: Not applicable
Secure options: Not applicable
Firewalling recommendations: Block inbound connections to client ports, allow outgoing connections and returning packets (keep state)
Attack detection: As a general rule data coming in to client ports that is not part of an established connection is likely an attack. Exceptions exist of course, such as FTP, various instant messenger protocols, file sharing protocols, IRC's DCC, and so on.
Related ports: 32768 and other client ports
Other notes: Port 32768 is the first port used by the operating system for outbound connections, thus it is likely you will see outbound connections from port 32768 and up. If you run netstat on Red Hat Linux or UNIX you will see something like:
[root@funky web]# netstat -vatn Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 10.2.3.4:32768 10.3.4.5:22 ESTABLISHED tcp 0 0 10.2.3.4:32769 10.9.3.4:80 ESTABLOSHED
So what your telling me is that my Wireless Access Point is either infected by spyware or is attempting to hack my computer on a udp connnection of all things? Somehow i dont think this fits the bill. Here's a Ethereal dump for anyone who want's to see exactly what i'm on about