OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Glenn Forbes Fleming Larratt (glratt_at_rice.edu)
Date: Wed Sep 25 2002 - 23:06:19 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    A pattern of UDP packets, with incrementing destination ports in the
    range 33434-33523, is almost assuredly a traceroute initiated by
    host x.y.z.w . If you want to confirm it, compare TTL values of
    the packets in question: they should increment by 1 with each
    successive UDP port.

    Every standard traceroute I've seen, though, has sent three packets
    for each (TTL value/UDP destination port) pair. Do I understand
    correctly that you only saw one per?

            -g

    On 25 Sep 2002, Gordon Chamberlin wrote:

    >... There was one very odd scan that has me concerned.
    >
    > The firewall logged packets going from a different server, not the
    > infected one, to 212.82.211.42:
    >
    > Sep 23 10:57:21 sicily kernel: DROPPING int->ext: IN=eth1 OUT=eth0
    > SRC=x.y.z.w DST=212.82.211.42 LEN=38 TOS=0x00 PREC=0x00 TTL=22 ID=27664
    > PROTO=UDP SPT=1370 DPT=33501 LEN=18
    >
    > There are eight of these messages with DPT proceeding sequential from
    > 33501 to 33508, inclusive, within 30 seconds.
    >
    > Questions:
    > Was this other host infected with something? I have searched it but
    > been unable to find any traces of hacking.
    >
    >
    > Assuming w.x.y.z hasn't been cracked, how did someone convince my server
    > to try to contact 212.82.211.42?
    >
    >
    > Any other insight or advice?
    >
    >
    > Thanks.
    > -Gordon
    >
    >
    >
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    >

                                    Glenn Forbes Fleming Larratt
                                    Rice University Network Management
                                    glrattrice.edu

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com