xianmat.uni.torun.pl
Date: Fri May 14 2004 - 12:46:05 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Cytowanie David Gillett <gillettdavidfhda.edu>:

> I recently attempted to contact this forum about strange traffic
> coming from one of our hosts. (My message was rejected without
> explanation.) The host was sending out ICMP Echo-Reply packets
> which contained the keyword "skillz" and about 1K of null bytes.
> No ICMP Echo-Request packets were seen eliciting these.
>
> This week, continuing to research this machine, I found that it
> was also the source of bursts of traffic from (spoofed) 127.0.0.x
> addresses to 108.122.0.0, in a ragen marked "reserved" by IANA.
> A Google search shows that other sites had seen such traffic going
> back as far as 2002, but I could not find any indication that its
> cause had been positively identified.
>
> I still don't know for certain that this box was the victim of
> a single infestation, but the possibility that these are symptoms
> of the same compromise may be worth considering.

From Your descrtiption it seems like some 'call home'. Did You notice any other
suspicious traffic from / to this machine ?
Maybe You could provide more info eg tcpdump output ?
greetings
Jan

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS dx s+:+ a-- c++ UL++++ UB++ P+++ L++ E- W++ N++ w O tv-- b+ DI++ D+ G e h!
r++ y?
------END GEEK CODE BLOCK------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]