Re: strange cmd.exe access

[Valdis.Kletnieks () vt edu]

On Fri, 30 May 2003 18:13:11 EDT, Jeff Adams <JAdams () NetCentrics com>  said:
> > what is strange is that the cmd.exe / root.exe stuff is half way 
> > through with some other code before it the ip it hit was not mapped to
>
> > anything ( I believe it is unused) so this can not have been part of 
> > another tcp converstion any ideas ?
>
> I have been seeing similar odd cmd.exe packets as well.=20
>
> It looks like part of a Code Red or a new variant.
>
> Anyone else seeing the same?

You know, it *IS* possible for a router to accidentally mangle the destination
IP address undetected - the checksum on the IP header isn't foolproof.  So
suddenly the packet is headed off to some new address with one or two bits
different. Instead of heading to 64.119.12.9, it's now heading to 192.119.12.9.
Whoops. ;)

Usually, this isn't a problem, because the following will happen:

1) The erroneous destination box throws an RST packet back because it's
never heard of the connection.
1a) The original source deep-sixes the RST because it's from a host it's
not talking to.

2) The original source doesn't get an ACK, and retransmits, and all is fine.

Not saying this *IS* the explanation, and it probably isn't if OTHER people
are seeing 'second packets only' symptoms - but I *have* seen this sort of
thing in production (fortunately, it was a bad memory card on a router giving
us a steady/intermittent stream of bogon packets so we could backtrace).

Attachment: _bin
Description: