At 06:36 AM 9/8/2000, Vitaly Osipov wrote:
>Hi all,
>
>Each day I get some weird packets coming to logs :) sometimes it is really
>difficult task to figure out what's happening... So I was wondering for some
>time what the following thing could be -
>
>Aug 22 16:37:09 194.24.254.24:53 -> 195.22.32.22:1026 UDP
>
>08/22-16:37:14.530505 0:90:F2:55:F0:0 -> 0:60:8:CE:FC:C1 type:0x800 len:0x4A
>194.24.254.24:4556 -> 195.22.32.22:113 TCP TTL:59 TOS:0x0 ID:0 DF
>21S***** Seq: 0x494ED4AF Ack: 0x0 Win: 0x16D0
>TCP Options => MSS: 1460 SackOK TS: 60856195 0 NOP WS: 0
[Snip]
>etc. both source and destinations are nameservers, 194.24.254.24 running
>bind "8.2.2-P5-NOESW" (at least is says so when asked for version.bind). I
>just wonder why it has some reserved bits set? is it some feature of their
>bind?(probably not) I asked sysadmin of that host - he said it will be
>checked, but no reply since then.
They were probably hacked by a skript kiddie via that (vulnerable) version
of BIND 8 and are now being used to probe the network. "Christmas tree"
packets are generally not used for much else.
--Brett
Received on Sep 08 2000
Intro
