Security Incidents mailing list archives
Re: What is this guy doing?
From: woods () WEIRD COM (Greg A. Woods)
Date: Thu, 8 Jun 2000 15:49:57 -0400
[ On Monday, June 5, 2000 at 18:00:29 (-0800), Josh Burroughs wrote: ]
Subject: What is this guy doing? I've seen this pattern showing up in my logs for the past few days, what the hell is this guy trying to do? Jun 5 16:52:11 discworld kernel: Packet log: input DENY eth0 PROTO=17 24.237.48.54:2301 255.255.255.255:2301 L=40 S=0x00 I=56747 F=0x0000 T=128 (#5)
It's almost certainly not any kind of probe or attack given that the exact same packets arrive one per minute from the same source address. Officially it should be: cpq-wbem 2301/udp # Compaq HTTP (Scott Shaffer <scott.shaffer () compaq com>) I seem to recall seeing mention of 2301 elsewhere though (though probably as TCP, not UDP) and so it may have been hijacked by some other application by someone unaware of the significance of destination port numbers in TCP and UDP on a public Internet.... It might be interesting to capture a few dozen raw packets and look inside them for other clues... perhaps with any other traffic to or from that same host: tcpdump -s 1500 -i eth0 -w weirdstuff.ip host 24.237.48.54 then after some time interrupt it and look in "weirdstuff.ip" (perhaps with "tcpdump -r", or ethereal, etc.). -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods () acm org> <robohack!woods> Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Current thread:
- Re: Sub-7, (continued)
- Re: Sub-7 Matthew F. Caldwell (Jun 08)
- Re: Sub-7 nine (Jun 08)
- Strange scans - inquisitive question Paul Rogers (Jun 09)
- Re: Strange scans - inquisitive question Valdis Kletnieks (Jun 11)
- What is this guy doing? Josh Burroughs (Jun 05)
- Re: What is this guy doing? Sebastien Reister (Jun 08)
- AW: What is this guy doing? Peter Roth (Jun 08)
- Port 6347 Dante Mercurio (Jun 08)
- Re: Port 6347 Brian Macke (Jun 08)
- Re: Port 6347 Henry F. Marquardt (Jun 09)
- Re: What is this guy doing? Greg A. Woods (Jun 08)
- Port-scans from visited web-sites? Peter Bates (Jun 07)
- Re: Port-scans from visited web-sites? Joe McAlerney (Jun 08)
- Re: Port-scans from visited web-sites? Greg A. Woods (Jun 08)
- Re: Port-scans from visited web-sites? Erich Meier (Jun 10)
- scan log Max Gribov (Jun 11)
- Re: scan log Jason Witty (Jun 12)
- FW-1 log analysis tool Chew Poh Chang (CAPL) (Jun 08)
- Re: FW-1 log analysis tool Lance Spitzner (Jun 10)
- Re: FW-1 log analysis tool Kenneth Ish (Jun 11)
- port 12345 scanning Luke Dudney (Jun 11)