Security Incidents mailing list archives
Re: Very Strange Attack
From: "Fulton L. Preston Jr." <fulton () PRESTONS ORG>
Date: Wed, 7 Feb 2001 21:20:24 -0500
This activity has been traced to a Nortel CVX device that is malforming standard HTTP requests to a web server. If you check your web server log files you will see that at the exact same time of the "scan" a legit request comes in to the web server. Packet captures of the traffic on 21536 shows that they too are get requests but the Nortel seems to send it to the wrong port. This issue was discussed in this very list last month. http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Fm id%3D156038%26start%3D2001-01-12%26list%3D75%26fromthread%3D0%26threads% 3D0%26end%3D2001-01-18%26 I too was concerned when I first saw these packets. Each time a user from splitrock.com access my web pages, boom, there are the packets. Funny thing though, right on Nortels website is a testimony about how they helped SplitRock manage their networks by installing, you guessed it, Nortel CVX's. Regard, Fulton Preston -----Original Message----- From: Mendoza, Luis [mailto:luis.mendoza () ATTLA COM] Sent: Wednesday, February 07, 2001 10:23 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Very Strange Attack Importance: High Hi everybody, I had received this traffic from Internet, in all cases the destinations port are not well-known but are the same (TCP:21536) and the source port idem (TCP:18245) Is this traffic associated to some kind of attack or anything else? Thanks Luis Mendoza Feb 3 15:11:58 66.50.24.49:18245 -> a.b.c.44:21536 VECNA *******U Feb 3 15:12:02 66.50.24.49:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U RESERVEDBITS Feb 3 15:12:02 66.50.24.49:18245 -> a.b.c.44:21536 VECNA 2****P*U RESERVEDBITS Feb 3 15:12:02 66.50.24.49:18245 -> a.b.c.44:21536 XMAS 2**F*P*U RESERVEDBITS Feb 3 15:12:05 66.50.24.49:18245 -> a.b.c.44:21536 INVALIDACK 2***R*AU RESERVEDBITS Feb 3 18:44:15 63.91.226.239:18245 -> a.b.c.44:21536 VECNA *******U Feb 3 18:44:19 63.91.226.239:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U RESERVEDBITS Feb 3 18:44:19 63.91.226.239:18245 -> a.b.c.44:21536 VECNA 2****P*U RESERVEDBITS Feb 3 18:44:19 63.91.226.239:18245 -> a.b.c.44:21536 XMAS 2**F*P*U RESERVEDBITS Feb 3 18:44:22 63.91.226.239:18245 -> a.b.c.44:21536 INVALIDACK 2***R*AU RESERVEDBITS Feb 3 18:44:26 63.91.226.239:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U RESERVEDBITS Feb 3 21:37:07 63.91.227.90:18245 -> a.b.c.44:21536 VECNA *******U Feb 3 21:37:11 63.91.227.90:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U RESERVEDBITS Feb 3 21:37:11 63.91.227.90:18245 -> a.b.c.44:21536 VECNA 2****P*U RESERVEDBITS Feb 3 21:37:11 63.91.227.90:18245 -> a.b.c.44:21536 XMAS 2**F*P*U RESERVEDBITS Feb 3 21:37:14 63.91.227.90:18245 -> a.b.c.44:21536 INVALIDACK 2***R*AU RESERVEDBITS Feb 3 21:37:18 63.91.227.90:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U RESERVEDBITS Feb 4 22:06:13 66.50.25.19:18245 -> a.b.c.44:21536 VECNA *******U Feb 4 22:06:16 66.50.25.19:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U RESERVEDBITS Feb 4 22:06:16 66.50.25.19:18245 -> a.b.c.44:21536 VECNA 2****P*U RESERVEDBITS Feb 4 22:06:16 66.50.25.19:18245 -> a.b.c.44:21536 XMAS 2**F*P*U RESERVEDBITS
Current thread:
- Very Strange Attack Mendoza, Luis (Feb 07)
- Re: Very Strange Attack Osvaldo J. Filho (Feb 07)
- Re: Very Strange Attack Fernando Cardoso (Feb 07)
- Re: Very Strange Attack Osvaldo J. Filho (Feb 07)
- Re: Very Strange Attack Fernando Cardoso (Feb 07)
- <Possible follow-ups>
- Re: Very Strange Attack Benninghoff, John (Feb 07)
- Re: Very Strange Attack Fulton L. Preston Jr. (Feb 07)
- Re: Very Strange Attack Fulton L. Preston Jr. (Feb 09)
- Re: Very Strange Attack Mendoza, Luis (Feb 10)
- Re: Very Strange Attack Osvaldo J. Filho (Feb 07)