Security Incidents mailing list archives

Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[

From: James Sneeringer <james+incidents () vincentsystems com>
Date: Sat, 19 Oct 2002 00:07:57 -0500

On Fri, Oct 18, 2002 at 01:31:15PM -0000, Melt  Man wrote:

20:32:22.658735 200.213.38.137.1812 > XX.XX.XX.XX.1812:  rad-#0 41 
[id 0] Attr[  Term_action Term_action Term_action Term_ac
tion Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action


This is probably the Slapper worm.  One variant of it uses udp/1812
to communicate with other infected servers.  However, udp/1812 is
registered for RADIUS authentication, and tcpdump knows that, so it's
trying to decode the packet as if it were a RADIUS authentication
request.  For more info:

    http://isc.incidents.org/analysis.html?id=175

-James


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[ Melt Man (Oct 18)
- Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[ James Sneeringer (Oct 20)
- Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[ Ryan Yagatich (Oct 20)
- Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[ James Williams (Oct 22)
- <Possible follow-ups>
- RE: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[ James Williams (Oct 24)