WTF is so special about port 34442 (Weird Wireless Access Point Question)



  • So restarted my wireless access point today for the first time in a few weeks seemed a little more sluggesh than usual (I have a really crappy ISP at home) so decided to do a little packet sniffing. However to my astonishment the only anomally seems to be from my access point firing a UDP packet every few seconds to the local broadcast address on port 34442. This has never happened before, never seen it before on this or any other access point. And it only has happened since my last restart.

    Can anyone enlighten me on it?

    The packets are more or less the same with the only noticable difference being bytes 0x29 and 0x2A (in the data frame) counting down and bytes 0x3A and 0x3B (again in the data frame) counting up.

    So again I ask can anyone enlighten me on this or is it a countdown/up to a moment of perpetual doom?



  • spyware?



  • From http://www.seifried.org/security/ports/34000/34442.html

    Port number: 34442

    Common name(s): client-port on Red Hat Linux 9.0, Fedora Core 1, Red Hat Enterprise 3

    Common service(s): client

    Service description(s): Outgoing client connections from systems.

    Common server(s): RPC based services, Windows Messaging Service.

    Common client(s): All client software (SSH, Web clients, etc.)

    Common problem(s): Insecure client software

    Encrypted options: Not applicable

    Secure options: Not applicable

    Firewalling recommendations: Block inbound connections to client ports, allow outgoing connections and returning packets (keep state)

    Attack detection: As a general rule data coming in to client ports that is not part of an established connection is likely an attack. Exceptions exist of course, such as FTP, various instant messenger protocols, file sharing protocols, IRC's DCC, and so on.

    Related ports: 32768 and other client ports

    Related URL(s): http://seifried.org/security/os/linux/20011005-linux-port-behavior.html

    Other notes: Port 32768 is the first port used by the operating system for outbound connections, thus it is likely you will see outbound connections from port 32768 and up. If you run netstat on Red Hat Linux or UNIX you will see something like:

    [root@funky web]# netstat -vatn
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State      
    tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      
    tcp        0      0 10.2.3.4:32768          10.3.4.5:22             ESTABLISHED 
    tcp        0      0 10.2.3.4:32769          10.9.3.4:80             ESTABLOSHED
    


  • So what your telling me is that my Wireless Access Point is either infected by spyware or is attempting to hack my computer on a udp connnection of all things? Somehow i dont think this fits the bill. Here's a Ethereal dump for anyone who want's to see exactly what i'm on about


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.