Security Incidents mailing list archives
Re: strange cmd.exe access
From: Valdis.Kletnieks () vt edu
Date: Fri, 30 May 2003 18:43:44 -0400
On Fri, 30 May 2003 18:13:11 EDT, Jeff Adams <JAdams () NetCentrics com> said:
what is strange is that the cmd.exe / root.exe stuff is half way through with some other code before it the ip it hit was not mapped toanything ( I believe it is unused) so this can not have been part of another tcp converstion any ideas ?I have been seeing similar odd cmd.exe packets as well.=20 It looks like part of a Code Red or a new variant. Anyone else seeing the same?
You know, it *IS* possible for a router to accidentally mangle the destination IP address undetected - the checksum on the IP header isn't foolproof. So suddenly the packet is headed off to some new address with one or two bits different. Instead of heading to 64.119.12.9, it's now heading to 192.119.12.9. Whoops. ;) Usually, this isn't a problem, because the following will happen: 1) The erroneous destination box throws an RST packet back because it's never heard of the connection. 1a) The original source deep-sixes the RST because it's from a host it's not talking to. 2) The original source doesn't get an ACK, and retransmits, and all is fine. Not saying this *IS* the explanation, and it probably isn't if OTHER people are seeing 'second packets only' symptoms - but I *have* seen this sort of thing in production (fortunately, it was a bad memory card on a router giving us a steady/intermittent stream of bogon packets so we could backtrace).
Attachment:
_bin
Description:
Current thread:
- Re: strange cmd.exe access Valdis . Kletnieks (Jun 01)
- <Possible follow-ups>
- Re: strange cmd.exe access H Carvey (Jun 01)
- Re: strange cmd.exe access adam (Jun 01)
- RE: strange cmd.exe access Frank Knobbe (Jun 01)
- RE: strange cmd.exe access MacDougall, Shane (Jun 05)