Security Incidents mailing list archives
Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[
From: James Sneeringer <james+incidents () vincentsystems com>
Date: Sat, 19 Oct 2002 00:07:57 -0500
On Fri, Oct 18, 2002 at 01:31:15PM -0000, Melt Man wrote:
20:32:22.658735 200.213.38.137.1812 > XX.XX.XX.XX.1812: rad-#0 41 [id 0] Attr[ Term_action Term_action Term_action Term_ac tion Term_action Term_action Term_action Term_action Term_action Term_action Term_action
This is probably the Slapper worm. One variant of it uses udp/1812 to communicate with other infected servers. However, udp/1812 is registered for RADIUS authentication, and tcpdump knows that, so it's trying to decode the packet as if it were a RADIUS authentication request. For more info: http://isc.incidents.org/analysis.html?id=175 -James ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[ Melt Man (Oct 18)
- Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[ James Sneeringer (Oct 20)
- Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[ Ryan Yagatich (Oct 20)
- Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[ James Williams (Oct 22)
- <Possible follow-ups>
- RE: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[ James Williams (Oct 24)