Security Incidents mailing list archives
Solegg ?
From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 14 May 2004 09:52:30 -0700
I recently attempted to contact this forum about strange traffic coming from one of our hosts. (My message was rejected without explanation.) The host was sending out ICMP Echo-Reply packets which contained the keyword "skillz" and about 1K of null bytes. No ICMP Echo-Request packets were seen eliciting these. This week, continuing to research this machine, I found that it was also the source of bursts of traffic from (spoofed) 127.0.0.x addresses to 108.122.0.0, in a ragen marked "reserved" by IANA. A Google search shows that other sites had seen such traffic going back as far as 2002, but I could not find any indication that its cause had been positively identified. I still don't know for certain that this box was the victim of a single infestation, but the possibility that these are symptoms of the same compromise may be worth considering. David Gillett --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- New piece of spyware? caldcv (May 13)
- Re: New piece of spyware? Valdis . Kletnieks (May 13)
- RE: New piece of spyware? Charles Tholen (May 13)
- Re: Re: New piece of spyware? Andrew Smith (May 14)
- Re: New piece of spyware? Harlan Carvey (May 13)
- RE: New piece of spyware? Rob Shein (May 13)
- Re: New piece of spyware? Rob (May 14)
- <Possible follow-ups>
- Re: New piece of spyware? caldcv (May 14)
- Re: New piece of spyware? Mister Coffee (May 14)
- Dead Thread: New piece of spyware? Daniel Hanson (May 14)
- Solegg ? David Gillett (May 14)
- Re: Solegg ? Pieter (May 14)
- Re: Solegg ? xian (May 14)
- Re: New piece of spyware? Mister Coffee (May 14)
- RE: New piece of spyware? Rob Shein (May 14)