OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Peter Pentchev (roam_at_ringlet.net)
Date: Wed Nov 20 2002 - 08:39:43 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi,

    Apologies for the somewhat off-topic post; I am also sending this to a
    couple of other security-related lists, where it will be more relevant,
    but any replies would be welcome..

    Today, a company I do some work for received an e-mail inquiry
    regarding strange packets sent to an address unknown to us. The packets
    in question were UDP packets with 500 as both source and destination
    port.

    The source address - ours - is not running anything related to IPsec,
    ISA-KMP or the like. It is, however, a NAT gateway for a large internal
    network. A quick tcpdump run showed that many hosts on that internal
    network try to send UDP packets from 500 to 500 to many external hosts,
    including hosts in the cluster*.icq.com, www.google.com, ns1.google.com,
    pt*.t-dialin.net, adsl*.pacbell.net, and many others.

    Is anybody aware of any reason for a Windows workstation (those are all
    Windows workstations) to send an ISA-KMP packet to external hosts?
    Which application should we look for? The machines in question are all
    running recent versions of ICQ clients (the offficial icq.com ones),
    various versions Microsoft Internet Explorer, and, among others, the
    Google Toolbar as a plug-in. Does any of these ring a bell? I can see
    no real reason why any of those would send ISA-KMP packets to anyone for
    any reason at all, but I can see the packets, and apparently others have
    seen them, too.

    On the other hand, could this be some sort of a trojan?

    Unfortunately, I am not currently, and will not be in the foreseeable
    future, at that location, so the further research which I would like to
    do will be somewhat delayed. Still, any information about Windows
    applications sending UDP packets from and to port 500 would be highly
    appreciated.

    Thanks in advance for any replies!

    G'luck,
    Peter 

    -- 
Peter Pentchev	roamringlet.net	roamFreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
What would this sentence be like if pi were 3?

    -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD)

    iD8DBQE9256v7Ri2jRYZRVMRAlSBAKC2EDnOUfkpTbPSlx1TSPHbS/bbPgCeLu2A upgXEXwB09rJheScNEphqU8= =3DVc -----END PGP SIGNATURE-----

    To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message