lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20051222122252.U37487@ubzr.zsa.bet>
Date: Thu Dec 22 18:28:01 2005
From: measl at mfn.org (J.A. Terranson)
Subject: Broadcast storm in my network/ any ideas


On Thu, 22 Dec 2005, wilder_jeff Wilder wrote:

> All,
>
> I have a Windows 2000 terminal server that is consistantly sending out
> broadcasts to 255.255.255.255:111... below is a capture from a snort box I
> have running. In the last 18 hours I have had about 2000 packets from this
> box to this address about every 30 seconds.

Jeff, FYI - a "Broadcast storm" is a Loooooonnnngggggg way from 200
packets over 18 hours.  Most people would hesitate to class this level of
traffic as a "nuisance", let alone a "broadcast storm'.  Notwithstanding
the obvious error in terminology, 111 is the port isn't a port that I
would expect a Winblows box to be talking to (usually for *nix portmapper
services).

In this case, your most reasonable course of action would be to examine
the box and try to determine what process is binding to the port.
Personally, I'd pull it off the wire under the presumption it's been
compromised, until proven otherwise (or unless you have services for Unix
installed.

-- 
Yours,

J.A. Terranson
sysadmin@....org
0xBD4A95BF


	Just once, can't we have a nice polite discussion about
	the logistics and planning side of large criminal enterprise?

	- Steve Thompson

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ