Security Incidents mailing list archives
Re: Port 65535
From: RichC () LOEHMANNS COM (Rich Corbett)
Date: Tue, 7 Mar 2000 08:50:11 -0500
Mike, I have seen this when a user decided to run an Eggdrop bot through my network. When his machine was not connected, the other member bot was attempting to contact his. After analyzing the errors I found that they only occurred "off-hours". I was able to then narrow down that it had to be some application running through the proxies & firewalls - I narrowed it down by starting with our development team - turning on one machine at a time - sure enough an eggdrop is what I found. The scary part about it all was that the server that the packets were coming from was located in Russia - I had no freaking idea as to what was going on. I cannot remember what port it was using at this point, but try to see what apps could be running from the inside. I have made the necessary provisions to ensure that this will not happen again! :o) G'Luck Rich -----Original Message----- From: Murray, Mike [mailto:Mike.Murray () UTORONTO CA] Sent: Saturday, March 04, 2000 10:58 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Port 65535 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pavel, That's good info... thanks... ) Now, why in the world would someone be sending me incomplete packets exactly every two minutes? Anybody have experience getting this? Perhaps some sort of misconfiguration, or something hostile? On 04-Mar-00 Pavel Kankovsky wrote:
This is a fragment (F stands for fragment offset). ipchains leave port numbers equal to (u_short)(-1) if the fragment does not include a (complete) TCP/UDP header.
- ---------------------------------- Message sent on 04-Mar-00 at 22:59:02 Mike Murray Apt 1402 666 Spadina Ave Toronto, ON M5S 2H8 Phone: (416) 323-3160 I can't think of anything pithy to say at all, today. So, I ramble. - ---------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQA/AwUBOMHbh4DBZTHOsqLmEQIRHgCeK9jSh0d/GiOLxTECOD/Gnv1PtAYAn3pL 2pLTLNUgoHBnnCHmdFImP9+a =htZa -----END PGP SIGNATURE-----
Current thread:
- Re: Port 65535 Rich Corbett (Mar 07)