Security Incidents mailing list archives
85.85.85.85 weirdness
From: wozz+incidents () WOOKIE NET (Wozz)
Date: Tue, 18 Jul 2000 19:37:49 -0600
Anyone have any idea what I might be seeing here? I just turned up an NFR probe at Exodus in DC, and I'm seeing all sorts of traffic as follows NFR: dc-probefe Source: 85.85.85.85 Destination: 85.85.85.85 Type of attack: Land Protocol: 1 Src Port: 0 DST Port: 0 ICMP Type: 85 ICMP Code: 85 Packet: E\\x00\\x008\\x80\\x1e\\x00\\x00\\x01\\x01UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU Count: 1 I also get occasional variations as follows NFR: dc-probefe Source: 85.85.85.85 Destination: 85.85.85.85 Type of attack: Land Protocol: 6 Src Port: 21845 DST Port: 21845 ICMP Type: 0 ICMP Code: 0 Packet: E\\x00\\x02`\\xc6\\x01@\\x00\\xff\\x06\\xd7\\xf6UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU Count: 1 and NFR: dc-probefe Source: 85.85.85.85 Destination: 85.85.85.85 Type of attack: Land Protocol: 17 Src Port: 21845 DST Port: 21845 ICMP Type: 0 ICMP Code: 0 Packet: E\\x00\\x00""\\xe1\\xd3\\x00\\x00@\\x11\\x12UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU Count: 1 My probe is sitting in front of my firewall box, and when I do a tcpdump on my firewall searching for any of these packets, nothing comes up. The only thing I can figure is that this is some sort of weird packet thats being misinterpreted by NFR. Perhaps some sort of ethernet broadcast being used by Exodus's Foundry VLAN's? Just curious if anyone else has seen anything like this on an NFR system or otherwise.
Current thread:
- Re: scan log and subsequent response from the host's ISP, (continued)
- Re: scan log and subsequent response from the host's ISP Forrester, Mike (Jul 07)
- tin.it and others non collaborative isps. Osvaldo Janeri Filho (Jul 07)
- Re: tin.it and others non collaborative isps. Bradley Woodward (Jul 10)
- Some stats of events Henri J. Schlereth (Jul 10)
- Re: tin.it and others non collaborative isps. gabriel rosenkoetter (Jul 10)
- Re: tin.it and others non collaborative isps. Philipp Buehler (Jul 11)
- Re: tin.it and others non collaborative isps. Richard Bejtlich (Jul 11)
- Hostile email mmurray () TAOS COM (Jul 12)
- I Was rooted Andrew Heath (Jul 17)
- Obfuscated URL's in spam Kee Hinckley (Jul 18)
- 85.85.85.85 weirdness Wozz (Jul 18)
- Re: 85.85.85.85 weirdness Pascal Bouchareine (Jul 19)
- Re: 85.85.85.85 weirdness Wozz (Jul 19)
- Re: 85.85.85.85 weirdness Jud (Jul 19)
- msnhome.talkcity.com Dirk Koopman (Jul 21)
- Re: msnhome.talkcity.com Ryan Yagatich (Jul 24)
- Anyone ever heard of "rlumkaus" virus/bug/trojan/backdoor? Litscher, Steven (Jul 21)
- tin.it and others non collaborative isps. Osvaldo Janeri Filho (Jul 07)
- Re: scan log and subsequent response from the host's ISP Forrester, Mike (Jul 07)
- Sudden increase in scans. Rune Kristian Viken (Jul 20)
- Re: Sudden increase in scans. Aaron Kelley (Jul 24)
- Wierd Windows 98 bug? Mark Collins (Jul 20)
- Port 38293 Tim H (Jul 21)