[ On Monday, June 5, 2000 at 18:00:29 (-0800), Josh Burroughs wrote: ]
> Subject: What is this guy doing?
>
> I've seen this pattern showing up in my logs for the past few days, what
> the hell is this guy trying to do?
>
> Jun 5 16:52:11 discworld kernel: Packet log: input DENY eth0 PROTO=17 24.237.48.54:2301 255.255.255.255:2301 L=40 S=0x00 I=56747 F=0x0000 T=128 (#5)
It's almost certainly not any kind of probe or attack given that the
exact same packets arrive one per minute from the same source address.
Officially it should be:
cpq-wbem 2301/udp # Compaq HTTP (Scott Shaffer <scott.shaffer_at_compaq.com>)
I seem to recall seeing mention of 2301 elsewhere though (though
probably as TCP, not UDP) and so it may have been hijacked by some other
application by someone unaware of the significance of destination port
numbers in TCP and UDP on a public Internet....
It might be interesting to capture a few dozen raw packets and look
inside them for other clues... perhaps with any other traffic to or
from that same host:
tcpdump -s 1500 -i eth0 -w weirdstuff.ip host 24.237.48.54
then after some time interrupt it and look in "weirdstuff.ip" (perhaps
with "tcpdump -r", or ethereal, etc.).
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods_at_acm.org> <robohack!woods>
Planix, Inc. <woods_at_planix.com>; Secrets of the Weird <woods_at_weird.com>
Received on Jun 10 2000
Intro
