lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200308181826.h7IIQBAc050171@mailserver2.hushmail.com>
From: phathat at hushmail.com (Phathat)
Subject: Loopback packets

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Anyone seen this?
Snort began reporting this capture from a single Windows box about twenty
four hours after we set windowsupdate.com to loopback. That's the only
correlation I've found. Now I have three machines sending these little
angry packets from different subnets (1918). Strangest of all, these
packets traversed two + routers before it hit the Snort box?... Anyone?...

- --- Last alerts ---

[Classification: Potentially Bad Traffic] [Priority: 2]
08/18-08:15:31.696482 0:7:D:50:E7:FC -> FF:FF:FF:FF:FF:FF type:0x800
len:0x3C
127.0.0.1:80 -> 255.255.255.255:1766 TCP TTL:126 TOS:0x0 ID:31804 IpLen:20
DgmLen:40
***A*R** Seq: 0x0  Ack: 0x57810001  Win: 0x0  TcpLen: 20
[Xref => url rr.sans.org/firewall/egress.php]

[**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
08/18-08:15:44.439384 0:7:D:50:E7:FC -> 2:BF:AC:1E:64:BA type:0x800 len:0x3C
127.0.0.1:80 -> 172.30.100.186:1236 TCP TTL:126 TOS:0x0 ID:59540 IpLen:20
DgmLen:40
***A*R** Seq: 0x0  Ack: 0xE860001  Win: 0x0  TcpLen: 20
[Xref => url rr.sans.org/firewall/egress.php]

[**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
08/18-08:15:50.084525 0:7:D:50:E7:FC -> 2:BF:AC:1E:64:BA type:0x800 len:0x3C
127.0.0.1:80 -> 172.30.100.186:1236 TCP TTL:126 TOS:0x0 ID:46933 IpLen:20
DgmLen:40
***A*R** Seq: 0x0  Ack: 0xE860001  Win: 0x0  TcpLen: 20
[Xref => url rr.sans.org/firewall/egress.php]


- -- END OF LOG ---




-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj9BGkMACgkQnBN72pVYTdhXHACbB1B/N7G11+UTJK0EeCtmspU05ZoA
nRGXmL9840M45/+LWzfweI6sZ4Xa
=w6Ls
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ