Mike,
I have seen this when a user decided to run an Eggdrop bot through
my network. When his machine was not connected, the other member bot was
attempting to contact his. After analyzing the errors I found that they
only occurred "off-hours". I was able to then narrow down that it had to be
some application running through the proxies & firewalls - I narrowed it
down by starting with our development team - turning on one machine at a
time - sure enough an eggdrop is what I found. The scary part about it
all was that the server that the packets were coming from was located in
Russia - I had no freaking idea as to what was going on. I cannot remember
what port it was using at this point, but try to see what apps could be
running from the inside. I have made the necessary provisions to ensure
that this will not happen again! :o)
G'Luck
Rich
-----Original Message-----
From: Murray, Mike [mailto:Mike.Murray_at_UTORONTO.CA]
Sent: Saturday, March 04, 2000 10:58 PM
To: INCIDENTS_at_SECURITYFOCUS.COM
Subject: Re: Port 65535
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Pavel,
That's good info... thanks... )
Now, why in the world would someone be sending me incomplete packets
exactly every two minutes? Anybody have experience getting this? Perhaps
some
sort of misconfiguration, or something hostile?
On 04-Mar-00 Pavel Kankovsky wrote:
> This is a fragment (F stands for fragment offset). ipchains leave port
> numbers equal to (u_short)(-1) if the fragment does not include a
> (complete) TCP/UDP header.
- ----------------------------------
Message sent on 04-Mar-00 at 22:59:02
Mike Murray
Apt 1402
666 Spadina Ave
Toronto, ON
M5S 2H8
Phone: (416) 323-3160
I can't think of anything pithy to say at
all, today. So, I ramble.
- ----------------------------------
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
iQA/AwUBOMHbh4DBZTHOsqLmEQIRHgCeK9jSh0d/GiOLxTECOD/Gnv1PtAYAn3pL
2pLTLNUgoHBnnCHmdFImP9+a
=htZa
-----END PGP SIGNATURE-----
Received on Mar 07 2000
Intro
