Security Incidents mailing list archives

85.85.85.85 weirdness

From: wozz+incidents () WOOKIE NET (Wozz)
Date: Tue, 18 Jul 2000 19:37:49 -0600


Anyone have any idea what I might be seeing here?  I just turned up an NFR
probe at Exodus in DC, and I'm seeing all sorts of traffic as follows

NFR:                dc-probefe
Source:             85.85.85.85
Destination:        85.85.85.85
Type of attack:     Land
Protocol:           1
Src Port:           0
DST Port:           0
ICMP Type:          85
ICMP Code:          85
Packet:

E\\x00\\x008\\x80\\x1e\\x00\\x00\\x01\\x01UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Count:                   1

I also get occasional variations as follows

NFR:                dc-probefe
Source:             85.85.85.85
Destination:        85.85.85.85
Type of attack:     Land
Protocol:           6
Src Port:           21845
DST Port:           21845
ICMP Type:          0
ICMP Code:          0
Packet:

E\\x00\\x02`\\xc6\\x01@\\x00\\xff\\x06\\xd7\\xf6UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Count:                   1

and

NFR:                dc-probefe
Source:             85.85.85.85
Destination:        85.85.85.85
Type of attack:     Land
Protocol:           17
Src Port:           21845
DST Port:           21845
ICMP Type:          0
ICMP Code:          0
Packet:

E\\x00\\x00""\\xe1\\xd3\\x00\\x00@\\x11\\x12UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Count:                   1

My probe is sitting in front of my firewall box, and when I do a tcpdump on
my firewall searching for any of these packets, nothing comes up.  The only
thing I can figure is that this is some sort of weird packet thats being
misinterpreted by NFR.  Perhaps some sort of ethernet broadcast being used
by Exodus's Foundry VLAN's?

Just curious if anyone else has seen anything like this on an NFR system or
otherwise.

Current thread:

Re: scan log and subsequent response from the host's ISP, (continued)
- Re: scan log and subsequent response from the host's ISP Forrester, Mike (Jul 07)
  - tin.it and others non collaborative isps. Osvaldo Janeri Filho (Jul 07)
    - Re: tin.it and others non collaborative isps. Bradley Woodward (Jul 10)
    - Some stats of events Henri J. Schlereth (Jul 10)
    - Re: tin.it and others non collaborative isps. gabriel rosenkoetter (Jul 10)
    - Re: tin.it and others non collaborative isps. Philipp Buehler (Jul 11)
    - Re: tin.it and others non collaborative isps. Richard Bejtlich (Jul 11)
    - Hostile email mmurray () TAOS COM (Jul 12)
    - I Was rooted Andrew Heath (Jul 17)
    - Obfuscated URL's in spam Kee Hinckley (Jul 18)
    - 85.85.85.85 weirdness Wozz (Jul 18)
    - Re: 85.85.85.85 weirdness Pascal Bouchareine (Jul 19)
    - Re: 85.85.85.85 weirdness Wozz (Jul 19)
    - Re: 85.85.85.85 weirdness Jud (Jul 19)
    - msnhome.talkcity.com Dirk Koopman (Jul 21)
    - Re: msnhome.talkcity.com Ryan Yagatich (Jul 24)
    - Anyone ever heard of "rlumkaus" virus/bug/trojan/backdoor? Litscher, Steven (Jul 21)
    - Sudden increase in scans. Rune Kristian Viken (Jul 20)
    - Re: Sudden increase in scans. Aaron Kelley (Jul 24)
    - Wierd Windows 98 bug? Mark Collins (Jul 20)
    - Port 38293 Tim H (Jul 21)

(Thread continues...)