| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Aug 2006 23:43:15 -0400
From: Netragard Security Advisories <advisories@...ragard.com>
To: "Fetch, Brandon" <BFetch@...pac.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Re: ICMP DestinationUnreachable Port Unreachable
Fetch,
I had already considered that actually. I found that it was just
back scatter though. Someone must have been doing something naughty and
I caught a little bit of the noise. Never the less, weird payloads...
but nothing for me to be concerned about.
Fetch, Brandon wrote:
> Isn't there a new Trojan that's using ICMP to send back it's pilfered
> data? It's encrypted (if I remember correctly) so no clear-text reading
> of what's sent and that may explain why you're seeing the random data.
>
> The padding of the same characters in individual packets may designate
> start/stop points in the transmission segments.
>
> Just my $.02...
>
> Brandon
>
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Adriel
> T. Desautels
> Sent: Wednesday, August 16, 2006 10:30 AM
> To: Adriel T. Desautels
> Cc: full-disclosure@...ts.grok.org.uk; Valdis.Kletnieks@...edu
> Subject: Re: [Full-disclosure] Re: ICMP DestinationUnreachable Port
> Unreachable
>
> Also,
> I failed to mention that they came in bursts of 3 every 5 minutes on
> the dot.
>
> Adriel T. Desautels wrote:
>
>> Well,
>> After over 100,000 alerts each with very different payloads the
>> traffic stopped. I do have a list of all of the dropped packets from
>>
> my
>
>> firewall as well and it appears that it was hitting 3 IP addresses
>>
> which
>
>> are public facing, not just one. The weird part, is that two of those
>> three aren't even live. So I think that this may have been noise from
>>
> a
>
>> different attack...
>>
>> I'd be very interested in decoding the payloads for some of these.
>> Anyone here have any tools to do such a decode? I'd rather not do it
>> manual if at all possible.
>>
>> Valdis.Kletnieks@...edu wrote:
>>
>>
>>> On Wed, 16 Aug 2006 12:33:13 BST, Barrie Dempster said:
>>>
>>>
>>>
>>>> Although the port 0 in this case is a red herring and irrelevant.
>>>>
> Port 0
>
>>>> itself when used with TCP/UDP (not ICMP!) can actually be used on
>>>>
> the
>
>>>> Internet. A while back I modified netcat and my linux kernel so that
>>>>
> it would
>
>>>> allow usage of port 0 and was able to connect to a remote machine
>>>>
> via TCP
>
>>>> with that port and communicate fine.
>>>>
>>>>
>>>>
>>> Of course, the poor security geek who see a TCP SYN from port 0 to
>>>
> port 0,
>
>>> and then a SYN+ACK reply back, will be going WTF??!? for the rest of
>>>
> the day. :)
>
>>> (Another good one to induce head-scratching is anything that does
>>> RFC1644-style T/TCP. Anytime you see a packet go by in one direction
>>>
> with
>
>>> SYN/FIN *and* data, and the reply has SYN/ACK/FIN and data.. ;)
>>> data on it... ;)
>>>
>>>
>>>
> ------------------------------------------------------------------------
>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>
>>
>
>
>
--
Regards,
Netragard Vulnerability Research Team
advisories at netragard dot com
http://www.netragard.com
-------------------------
"We make I.T. Secure"
BullGuard Anti-virus has scanned this e-mail and found it clean.
Try BullGuard for free: www.bullguard.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists