| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Aug 2006 17:40:39 -0400
From: "Fetch, Brandon" <BFetch@...pac.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: RE: Re: ICMP DestinationUnreachable Port Unreachable
Isn't there a new Trojan that's using ICMP to send back it's pilfered
data? It's encrypted (if I remember correctly) so no clear-text reading
of what's sent and that may explain why you're seeing the random data.
The padding of the same characters in individual packets may designate
start/stop points in the transmission segments.
Just my $.02...
Brandon
-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Adriel
T. Desautels
Sent: Wednesday, August 16, 2006 10:30 AM
To: Adriel T. Desautels
Cc: full-disclosure@...ts.grok.org.uk; Valdis.Kletnieks@...edu
Subject: Re: [Full-disclosure] Re: ICMP DestinationUnreachable Port
Unreachable
Also,
I failed to mention that they came in bursts of 3 every 5 minutes on
the dot.
Adriel T. Desautels wrote:
> Well,
> After over 100,000 alerts each with very different payloads the
> traffic stopped. I do have a list of all of the dropped packets from
my
> firewall as well and it appears that it was hitting 3 IP addresses
which
> are public facing, not just one. The weird part, is that two of those
> three aren't even live. So I think that this may have been noise from
a
> different attack...
>
> I'd be very interested in decoding the payloads for some of these.
> Anyone here have any tools to do such a decode? I'd rather not do it
> manual if at all possible.
>
> Valdis.Kletnieks@...edu wrote:
>
>> On Wed, 16 Aug 2006 12:33:13 BST, Barrie Dempster said:
>>
>>
>>> Although the port 0 in this case is a red herring and irrelevant.
Port 0
>>> itself when used with TCP/UDP (not ICMP!) can actually be used on
the
>>> Internet. A while back I modified netcat and my linux kernel so that
it would
>>> allow usage of port 0 and was able to connect to a remote machine
via TCP
>>> with that port and communicate fine.
>>>
>>>
>> Of course, the poor security geek who see a TCP SYN from port 0 to
port 0,
>> and then a SYN+ACK reply back, will be going WTF??!? for the rest of
the day. :)
>>
>> (Another good one to induce head-scratching is anything that does
>> RFC1644-style T/TCP. Anytime you see a packet go by in one direction
with
>> SYN/FIN *and* data, and the reply has SYN/ACK/FIN and data.. ;)
>> data on it... ;)
>>
>>
------------------------------------------------------------------------
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
--
Regards,
Adriel T. Desautels
SNOsoft Research Team
Office: 617-924-4510 || Mobile : 857-636-8882
----------------------------------------------
Vulnerability Research and Exploit Development
BullGuard Anti-virus has scanned this e-mail and found it clean.
Try BullGuard for free: www.bullguard.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information.
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists