Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange outgoing packets ...

From: "Barry Irwin" <bvi () itouchlabs com>
Date: Fri, 31 Jan 2003 06:44:50 +0200
Port 1985 is used by Cisco routers for their HSRP High availability
implementation.
The word "p0rnst4r" is the passphrase used to authenticate members of the
Failover group to eachother.

Regards.

Barry


--
Barry Irwin         bvi () itouchlabs com                    Tel:
+27214875178
Systems Administrator: Networks And Security
iTouch TAS      http://www.itouchlabs.com         Mobile: +27824457210


----- Original Message -----
From: "Mobius" <Mobius () PlaneofChaos net>
To: "Daniel Nyström" <exce () netwinder nu>
Cc: <security-basics () securityfocus com>
Sent: Thursday, January 30, 2003 2:41 AM
Subject: Re: Strange outgoing packets ...


Check the IP address that these packets have been going to.  See if its
some sort of porno site, or someone's personal machine.  You could well be
"0wned" but its too early to make that assumption.

If it IS going to a porno site, then check to see if you have any strange
software on your machine, anything that could be designed to find and
download porn.  It happens from time to time, especially if anyone else
uses your machine.  Also, have you checked for Virii/Trojans since you saw
that?

At 11:04 AM 1/29/2003, Daniel Nyström wrote:

Hello!

Fired up tcpdump the other day and caught this coming out of my Debian 3.0
box... Looked around a little bit and saw that other people had the same
packets coming out of their boxxes as well.. allrighty then, I thought..
until I decided to check the packet out a little bit more.. and this is
what I got:

17:14:22.308564 <MYSERVERIP>.1985 > ALL-ROUTERS.MCAST.NET.1985:  udp 20
[tos 0xc0]
0x0000   45c0 0030 0000 0000 0211 4005 d572 c283        E..0......@..r..
0x0010   e000 0002 07c1 07c1 001c 425c 0000 0803        ..........B\....
0x0020   0a62 0100 7030 726e 7374 3472 d572 c281        .b..p0rnst4r.r..

Seems kinda trange that the word "p0rnst4r" is in that packet... Doesn't

it?


Anyone experienced this before? Or am I totally 0wned :)

/Daniel Nyström
Previous By Date Next
Previous By Thread Next

Current thread: