|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Solegg ?
From: David Gillett (gillettdavid
fhda.edu)
Date: Fri May 14 2004 - 11:52:30 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I recently attempted to contact this forum about strange traffic
coming from one of our hosts. (My message was rejected without
explanation.) The host was sending out ICMP Echo-Reply packets
which contained the keyword "skillz" and about 1K of null bytes.
No ICMP Echo-Request packets were seen eliciting these.
This week, continuing to research this machine, I found that it
was also the source of bursts of traffic from (spoofed) 127.0.0.x
addresses to 108.122.0.0, in a ragen marked "reserved" by IANA.
A Google search shows that other sites had seen such traffic going
back as far as 2002, but I could not find any indication that its
cause had been positively identified.
I still don't know for certain that this box was the victim of
a single infestation, but the possibility that these are symptoms
of the same compromise may be worth considering.
David Gillett
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]