Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: What is this guy doing?

From: woods () WEIRD COM (Greg A. Woods)
Date: Thu, 8 Jun 2000 15:49:57 -0400

[ On Monday, June 5, 2000 at 18:00:29 (-0800), Josh Burroughs wrote: ]

Subject: What is this guy doing?

I've seen this pattern showing up in my logs for the past few days, what
the hell is this guy trying to do?

Jun  5 16:52:11 discworld kernel: Packet log: input DENY eth0 PROTO=17 24.237.48.54:2301 255.255.255.255:2301 L=40 
S=0x00 I=56747 F=0x0000 T=128 (#5)


It's almost certainly not any kind of probe or attack given that the
exact same packets arrive one per minute from the same source address.

Officially it should be:

cpq-wbem        2301/udp        # Compaq HTTP (Scott Shaffer <scott.shaffer () compaq com>)

I seem to recall seeing mention of 2301 elsewhere though (though
probably as TCP, not UDP) and so it may have been hijacked by some other
application by someone unaware of the significance of destination port
numbers in TCP and UDP on a public Internet....

It might be interesting to capture a few dozen raw packets and look
inside them for other clues...  perhaps with any other traffic to or
from that same host:

        tcpdump -s 1500 -i eth0 -w weirdstuff.ip host 24.237.48.54

then after some time interrupt it and look in "weirdstuff.ip" (perhaps
with "tcpdump -r", or ethereal, etc.).

--
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>      <robohack!woods>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Previous By Date Next
Previous By Thread Next

Current thread: