Comments on: fun with tcpdump bpf and udp http://trepullins.net/02-09-2008/fun-with-tcpdump-bpf-and-udp it's better then a sharp stick in the eye! Fri, 29 Jan 2010 00:14:33 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Axthrower http://trepullins.net/02-09-2008/fun-with-tcpdump-bpf-and-udp/comment-page-1#comment-155 Axthrower Tue, 12 Feb 2008 13:06:34 +0000 http://trepullins.net/02-09-2008/fun-with-tcpdump-bpf-and-udp#comment-155 Your tcpdump skills are fearsome! Your tcpdump skills are fearsome!

]]> By: Greg Martin http://trepullins.net/02-09-2008/fun-with-tcpdump-bpf-and-udp/comment-page-1#comment-153 Greg Martin Mon, 11 Feb 2008 16:38:06 +0000 http://trepullins.net/02-09-2008/fun-with-tcpdump-bpf-and-udp#comment-153 great tip! Just thought it was bizarre to see udp traffic destined for port 80! Sounds like botnet backdoor channelish... Never in my experience have I seen a process listen on udp port 80. It is extremely common for attackers to try an evade secadmin by sourcing their udp or tcp scans from port 80 to try and sneak in at web traffic, maybe you saw backscatter from a portscan generated from the inside? -G great tip! Just thought it was bizarre to see udp traffic destined for port 80! Sounds like botnet backdoor channelish…

Never in my experience have I seen a process listen on udp port 80. It is extremely common for attackers to try an evade secadmin by sourcing their udp or tcp scans from port 80 to try and sneak in at web traffic, maybe you saw backscatter from a portscan generated from the inside?

-G

]]>