Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Basics: Re: Help!!

Re: Help!!

From: Eric McCarty <eric_at_piteduncan.com>
Date: Fri, 11 Mar 2005 11:30:31 -0800

First off, Multicast = > 1 Address. Unicast = 1 Address. Broadcast = All
addresses.

Next, since the source IP's are apparently on your LAN I would say sniff
the traffic from those machines, I would bet its spyware/adware
communications.

Good luck.

Eric.

On Thu, 2005-03-10 at 18:59 -0600, Jose Alberto Arce wrote:
> Hi all.
> I've seen since last monday on my network, some addresses sending
> multicast to address 234.11.11.12, using UPD 8991. I googled a little
> bit and I didn't find anything related to that multicast. Last two
> packets captured are:
>
> 17:29:43.295448 ethertype IPv4 (0x0800), length 99: IP (tos 0x0, ttl 3, id
> 4299, offset 0, flags [none], length: 85) xxx.xxx.xxx.xxx.1034 >
> 234.11.11.12.8991: UDP, length: 57
> 17:29:43.311066 ethertype IPv4 (0x0800), length 99: IP (tos 0x0, ttl 3, id
> 4300, offset 0, flags [none], length: 85) xxx.xxx.xxx.xxx.1034 >
> 234.11.11.12.8991: UDP, length: 57
>
> Any ideas of what device or program might be producing this traffic?
> Thanks
> OA
>
> 

-- 
Eric C. McCarty
Systems Administrator
Pite Duncan & Melmet, LLP
eric_at_piteduncan.com
619 590-1300 x 2060

Received on Mar 11 2005
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]