Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Solegg ?
From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 14 May 2004 09:52:30 -0700
  I recently attempted to contact this forum about strange traffic
coming from one of our hosts.  (My message was rejected without
explanation.)  The host was sending out ICMP Echo-Reply packets
which contained the keyword "skillz" and about 1K of null bytes.
No ICMP Echo-Request packets were seen eliciting these.

  This week, continuing to research this machine, I found that it
was also the source of bursts of traffic from (spoofed) 127.0.0.x
addresses to 108.122.0.0, in a ragen marked "reserved" by IANA.
A Google search shows that other sites had seen such traffic going
back as far as 2002, but I could not find any indication that its
cause had been positively identified.

  I still don't know for certain that this box was the victim of
a single infestation, but the possibility that these are symptoms
of the same compromise may be worth considering.

David Gillett



---------------------------------------------------------------------------
----------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]