NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2000-03

Subject: Re: Port 65535
From: Rich Corbett (RichCLOEHMANNS.COM)
Date: Tue Mar 07 2000 - 07:50:11 CST

Next message: Rich Corbett: "Re: Weird UDP packets"
Previous message: Rainer Weikusat: "Re: UDP flood 28001-28003"
Maybe in reply to: Murray, Mike: "Port 65535"
Maybe reply: Rich Corbett: "Re: Port 65535"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mike,
I have seen this when a user decided to run an Eggdrop bot through
my network. When his machine was not connected, the other member bot was
attempting to contact his. After analyzing the errors I found that they
only occurred "off-hours". I was able to then narrow down that it had to be
some application running through the proxies & firewalls - I narrowed it
down by starting with our development team - turning on one machine at a
time - sure enough an eggdrop is what I found. The scary part about it
all was that the server that the packets were coming from was located in
Russia - I had no freaking idea as to what was going on. I cannot remember
what port it was using at this point, but try to see what apps could be
running from the inside. I have made the necessary provisions to ensure
that this will not happen again! :o)

G'Luck
Rich

-----Original Message-----
From: Murray, Mike [mailto:Mike.MurrayUTORONTO.CA]
Sent: Saturday, March 04, 2000 10:58 PM
To: INCIDENTSSECURITYFOCUS.COM
Subject: Re: Port 65535

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pavel,

That's good info... thanks... )

Now, why in the world would someone be sending me incomplete packets
exactly every two minutes? Anybody have experience getting this? Perhaps
some
sort of misconfiguration, or something hostile?

On 04-Mar-00 Pavel Kankovsky wrote:
> This is a fragment (F stands for fragment offset). ipchains leave port
> numbers equal to (u_short)(-1) if the fragment does not include a
> (complete) TCP/UDP header.

- ----------------------------------
Message sent on 04-Mar-00 at 22:59:02

Mike Murray
Apt 1402
666 Spadina Ave
Toronto, ON
M5S 2H8

Phone: (416) 323-3160

I can't think of anything pithy to say at
all, today. So, I ramble.
- ----------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQA/AwUBOMHbh4DBZTHOsqLmEQIRHgCeK9jSh0d/GiOLxTECOD/Gnv1PtAYAn3pL
2pLTLNUgoHBnnCHmdFImP9+a
=htZa
-----END PGP SIGNATURE-----

Next message: Rich Corbett: "Re: Weird UDP packets"
Previous message: Rainer Weikusat: "Re: UDP flood 28001-28003"
Maybe in reply to: Murray, Mike: "Port 65535"
Maybe reply: Rich Corbett: "Re: Port 65535"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]