Security Incidents mailing list archives
Bizarre traffic
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 9 Feb 2006 09:57:18 -0800
Does anybody know of anything (malware, hackware, other?) that would cause a machine to put out traffic with the first octet of the destination address (re)set to ZERO? The traffic I saw all was headed for port 443, and wasn't decipherable. The variation in packet size looked like a real conversation, although return packets (if any) weren't passing my sniffer. The destination addresses, sans the bogus first octet, looked like addresses of a couple of real internal servers (source address was internal) -- which, however, do not have HTTPS service active. [This traffic correlated with various intermittent disruptions of our network, which stopped when the source machine dropped off the network. It later reappeared -- and so did a brief disruption -- long enough for me to pinpoint and ban it.] David Gillett
Current thread:
- Bizarre traffic David Gillett (Feb 10)
- Re: Bizarre traffic Brian Rectanus (Feb 10)
- RE: Bizarre traffic David Gillett (Feb 13)
- RE: Bizarre traffic David Gillett (Feb 27)
- <Possible follow-ups>
- Re: RE: Bizarre traffic mosquitooth (Feb 17)
- Re: RE: Bizarre traffic selfinnoculation (Feb 23)
- Re: RE: Bizarre traffic Ramez Hanna (Feb 23)
- Re: RE: Bizarre traffic Ansgar -59cobalt- Wiechers (Feb 24)
- Re: RE: Bizarre traffic Dick St.Peters (Feb 24)
- Re: RE: Bizarre traffic Ramez Hanna (Feb 23)
- Re: Bizarre traffic Brian Rectanus (Feb 10)