lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <44E3E5D3.50400@netragard.com>
Date: Wed, 16 Aug 2006 23:43:15 -0400
From: Netragard Security Advisories <advisories@...ragard.com>
To: "Fetch, Brandon" <BFetch@...pac.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Re: ICMP DestinationUnreachable	Port	Unreachable

Fetch,
    I had already considered that actually. I found that it was just
back scatter though. Someone must have been doing something naughty and
I caught a little bit of the noise. Never the less, weird payloads...
but nothing for me to be concerned about.

Fetch, Brandon wrote:
> Isn't there a new Trojan that's using ICMP to send back it's pilfered
> data?  It's encrypted (if I remember correctly) so no clear-text reading
> of what's sent and that may explain why you're seeing the random data.
>
> The padding of the same characters in individual packets may designate
> start/stop points in the transmission segments.
>
> Just my $.02...
>
> Brandon
>
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Adriel
> T. Desautels
> Sent: Wednesday, August 16, 2006 10:30 AM
> To: Adriel T. Desautels
> Cc: full-disclosure@...ts.grok.org.uk; Valdis.Kletnieks@...edu
> Subject: Re: [Full-disclosure] Re: ICMP DestinationUnreachable Port
> Unreachable
>
> Also,
>     I failed to mention that they came in bursts of 3 every 5 minutes on
> the dot.
>
> Adriel T. Desautels wrote:
>   
>> Well,
>>     After over 100,000 alerts each with very different payloads the
>> traffic stopped. I do have a list of all of the dropped packets from
>>     
> my
>   
>> firewall as well and it appears that it was hitting 3 IP addresses
>>     
> which
>   
>> are public facing, not just one. The weird part, is that two of those
>> three aren't even live. So I think that this may have been noise from
>>     
> a
>   
>> different attack...
>>
>>     I'd be very interested in decoding the payloads for some of these.
>> Anyone here have any tools to do such a decode? I'd rather not do it
>> manual if at all possible.
>>
>> Valdis.Kletnieks@...edu wrote:
>>   
>>     
>>> On Wed, 16 Aug 2006 12:33:13 BST, Barrie Dempster said:
>>>   
>>>     
>>>       
>>>> Although the port 0 in this case is a red herring and irrelevant.
>>>>         
> Port 0
>   
>>>> itself when used with TCP/UDP (not ICMP!) can actually be used on
>>>>         
> the
>   
>>>> Internet. A while back I modified netcat and my linux kernel so that
>>>>         
> it would
>   
>>>> allow usage of port 0 and was able to connect to a remote machine
>>>>         
> via TCP
>   
>>>> with that port and communicate fine.
>>>>     
>>>>       
>>>>         
>>> Of course, the poor security geek who see a TCP SYN from port 0 to
>>>       
> port 0,
>   
>>> and then a SYN+ACK reply back, will be going WTF??!? for the rest of
>>>       
> the day. :)
>   
>>> (Another good one to induce head-scratching is anything that does
>>> RFC1644-style T/TCP.  Anytime you see a packet go by in one direction
>>>       
> with
>   
>>> SYN/FIN *and* data, and the reply has SYN/ACK/FIN and data.. ;)
>>> data on it... ;)
>>>   
>>>
>>>       
> ------------------------------------------------------------------------
>   
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>     
>>>       
>>   
>>     
>
>
>   


-- 


Regards, 
	Netragard Vulnerability Research Team
	advisories at netragard dot com
	http://www.netragard.com
	-------------------------
	"We make I.T. Secure"




BullGuard Anti-virus has scanned this e-mail and found it clean.
Try BullGuard for free: www.bullguard.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ