Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Port 65535

From: RichC () LOEHMANNS COM (Rich Corbett)
Date: Tue, 7 Mar 2000 08:50:11 -0500

Mike,
        I have seen this when a user decided to run an Eggdrop bot through
my network.  When his machine was not connected, the other member bot was
attempting to contact his.  After analyzing the errors I found that they
only occurred "off-hours".  I was able to then narrow down that it had to be
some application running through the proxies & firewalls - I narrowed it
down by starting with our development team - turning on one machine at a
time  -  sure enough an eggdrop is what I found.  The scary part about it
all was that the server that the packets were coming from was located in
Russia - I had no freaking idea as to what was going on.  I cannot remember
what port it was using at this point, but try to see what apps could be
running from the inside.  I have made the necessary provisions to ensure
that this will not happen again!  :o)

G'Luck
Rich

-----Original Message-----
From: Murray, Mike [mailto:Mike.Murray () UTORONTO CA]
Sent: Saturday, March 04, 2000 10:58 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Port 65535

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pavel,

        That's good info... thanks... )

        Now, why in the world would someone be sending me incomplete packets
exactly every two minutes?  Anybody have experience getting this?  Perhaps
some
sort of misconfiguration, or something hostile?

On 04-Mar-00 Pavel Kankovsky wrote:

This is a fragment (F stands for fragment offset). ipchains leave port
numbers equal to (u_short)(-1) if the fragment does not include a
(complete) TCP/UDP header.


- ----------------------------------
Message sent on 04-Mar-00 at 22:59:02

Mike Murray
Apt 1402
666 Spadina Ave
Toronto, ON
M5S 2H8

Phone: (416) 323-3160

        I can't think of anything pithy to say at
        all, today.  So, I ramble.
- ----------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQA/AwUBOMHbh4DBZTHOsqLmEQIRHgCeK9jSh0d/GiOLxTECOD/Gnv1PtAYAn3pL
2pLTLNUgoHBnnCHmdFImP9+a
=htZa
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: