Security Incidents mailing list archives
Re: 85.85.85.85 weirdness
From: jmain () NFR NET (Jud)
Date: Wed, 19 Jul 2000 13:38:29 -0400
To our best knowledge, some Xircom PCMCIA cards and perhaps some other pcmcia card spit out these weird packets occasionally. My own Micron laptop with a xircom pcmcia card has spit out these packets for no apparent reason; however, this does not mean that it is the only hardware in existence that spits these packets out. Jud. Wozz wrote:
On Wed, Jul 19, 2000 at 04:23:00PM +0200, Pascal Bouchareine wrote:just my $0.01 but : On Tue, Jul 18, 2000 at 07:37:49PM -0600, Wozz wrote:Anyone have any idea what I might be seeing here? I just turned up an NFR probe at Exodus in DC, and I'm seeing all sorts of traffic as follows NFR: dc-probefe Source: 85.85.85.85 Destination: 85.85.85.850x55555555 as a source ip.Type of attack: Landtriggered because of the short size/buggy pointers, i guess.Protocol: 6 Src Port: 21845 DST Port: 2184521845, which is 0x5555. fun. this information is not interesting to you, as i bet this is a (buggy) "0x55 frame" and doesn't have anything to do with 85.85.85.85 or a land attack. anyway, the bug's still there.Thats what I suspected, that it was some sort of bug.ICMP Type: 0 ICMP Code: 0 Packet: E\\x00\\x02`\\xc6\\x01@\\x00\\xff\\x06\\xd7\\xf6UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU is 0x55, confirmed. you have a memset'ed area of 0x55. is it at the network level, or at the "bpf" level ?I'm not sure, as I said, I don't see it on the network when I do a tcpdump on my firewallMy probe is sitting in front of my firewall box, and when I do a tcpdump on my firewall searching for any of these packets, nothing comes up. The only thing I can figure is that this is some sort of weird packet thats being misinterpreted by NFR. Perhaps some sort of ethernet broadcast being used by Exodus's Foundry VLAN's?are you sure your firewall doesn't filter these packets before passing them to the packet capture interface ?The probe is outside the firewall (between our external router and the firewall)this sounds like a strange memory corruption, at the ethernet level or at the NFR level.. very interesting :)No kidding ;) Wish I could figure it out though, as its filling up the alerts window ;) Any NFR people have any ideas? **************************************************************** TO POST A MESSAGE on this list, send it to nfr-users () nfr net. TO UNSUBSCRIBE from this list, send the following text in the message body (not subject line) to majordomo () nfr net unsubscribe nfr-users Your-Email-Address ****************************************************************
Current thread:
- Some stats of events, (continued)
- Some stats of events Henri J. Schlereth (Jul 10)
- Re: tin.it and others non collaborative isps. gabriel rosenkoetter (Jul 10)
- Re: tin.it and others non collaborative isps. Philipp Buehler (Jul 11)
- Re: tin.it and others non collaborative isps. Richard Bejtlich (Jul 11)
- Hostile email mmurray () TAOS COM (Jul 12)
- I Was rooted Andrew Heath (Jul 17)
- Obfuscated URL's in spam Kee Hinckley (Jul 18)
- 85.85.85.85 weirdness Wozz (Jul 18)
- Re: 85.85.85.85 weirdness Pascal Bouchareine (Jul 19)
- Re: 85.85.85.85 weirdness Wozz (Jul 19)
- Re: 85.85.85.85 weirdness Jud (Jul 19)
- msnhome.talkcity.com Dirk Koopman (Jul 21)
- Re: msnhome.talkcity.com Ryan Yagatich (Jul 24)
- Anyone ever heard of "rlumkaus" virus/bug/trojan/backdoor? Litscher, Steven (Jul 21)
- Sudden increase in scans. Rune Kristian Viken (Jul 20)
- Re: Sudden increase in scans. Aaron Kelley (Jul 24)
- Wierd Windows 98 bug? Mark Collins (Jul 20)
- Port 38293 Tim H (Jul 21)
- Re: Port 38293 Talisker (Jul 22)