Re: Suspicious traffic w src & dst port 19161

[tony sena <tsena69 () gmail com>]

In-Reply-To: <4f0e191c05042820586afb229b () mail gmail com>

Hello, Either of you two get a trace on that traffic? 
Packet capture or any other details. I have been following the discussion on the ISC Handlers Diary and there haven't 
been updates by anyone. 

Just curious, and I wouldn't mind taking a look at that  raw datagram. 

Sincerely, 

Tony

> Received: (qmail 29110 invoked from network); 29 Apr 2005 16:02:16 -0000
> Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 29 Apr 2005 16:02:16 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
>       by outgoing3.securityfocus.com (Postfix) with QMQP
>       id EE1E7237852; Fri, 29 Apr 2005 10:09:03 -0600 (MDT)
> Mailing-List: contact incidents-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <incidents.list-id.securityfocus.com>
> List-Post: <mailto:incidents () securityfocus com>
> List-Help: <mailto:incidents-help () securityfocus com>
> List-Unsubscribe: <mailto:incidents-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:incidents-subscribe () securityfocus com>
> Delivered-To: mailing list incidents () securityfocus com
> Delivered-To: moderator for incidents () securityfocus com
> Received: (qmail 32214 invoked from network); 29 Apr 2005 04:25:34 -0000
> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
>        s=beta; d=gmail.com;
>        
> h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
>        
> b=riy2/VLNDp0IeoC1nJ6k8Gd90uoPe0akGUZRYiqbkXwkGAnBYjC8oXYX8EuzGEpICmsz6dsUB1k3bDRZ349+/ts2kCKUT4GjMy5QE/7eTx+H97O1H43IfO3Sb7suacQZ1AljjH9Etns/fJuRDdyTMMo0UIIkkb6By3BqLRXDKOs=
> Message-ID: <4f0e191c05042820586afb229b () mail gmail com>
> Date: Thu, 28 Apr 2005 22:58:37 -0500
> From: Kyle Maxwell <krmaxwell () gmail com>
> Reply-To: Kyle Maxwell <krmaxwell () gmail com>
> To: "Fergie (Paul Ferguson)" <fergdawg () netzero net>
> Subject: Re: Suspicious traffic w src & dst port 19161
> Cc: incidents () securityfocus com
> In-Reply-To: <20050428.130325.10859.8881 () webmail01 lax untd com>
> Mime-Version: 1.0
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: inline
> References: <20050428.130325.10859.8881 () webmail01 lax untd com>
>
> On 4/28/05, Fergie (Paul Ferguson) <fergdawg () netzero net> wrote:
> > Any ideas? I can probably get a trace, but I thought I
> > would ask the list first..
>
> A trace would indeed be helpful. There was some discussion of what
> might be related traffic on the Internet Storm Center last spring; see
> http://isc.sans.org/diary.php?date=3D2004-05-18. Additional suggestions
> were provided in http://isc.sans.org/diary.php?date=3D2004-06-01 (to
> change the fragmentation detection settings).
>
> I didn't see any more discussion on the ISC, so unless someone else on
> the list knows more (hopefully!), your captures will probably be a big
> help.
>
> --=20
> Kyle Maxwell
> [krmaxwell () gmail com]
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from 
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
> to learn more.
> --------------------------------------------------------------------------