Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] Odd packet?

from [Valentino Squilloni - Ouz] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] Odd packet?
Date: Thu, 27 May 2004 20:07:22 +0200 (CEST) 
On Wed, 26 May 2004, Mike Klinke wrote:

[...]

Even the OP didn't mentioned this.  I'm proned to believe those
packets have 127.0.0.1 as the source of the packets.


You're correct. I thought I'd sent this to the list last night but
didn't watch the to: field carefully enough on my reply.

I don't know the mechanism but I think I know what you were
seeing.  Here is an ethereal packet capture from the time.  We, too,
were constantly seeing our ISP controlled perimeter router sending
these packets to our internal equipment. The source MAC address here
is the perimeter router (Cisco 1700) and the ISP was pretty much
stumped over the cause.


[...]

Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1),
  Dst Addr: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
Time to live: 121
Protocol: TCP (0x06)
  Src Port: 80 (80), Dst Port: 1319 (1319),
  Seq: 0, Ack: 986251265, Len: 0
Source port: 80 (80)
Destination port: 1319 (1319)
Flags: 0x0014 (RST, ACK)


Ok.  It seems the case described.  A spoofed packet with your IP as the
source tries to connect to the compromised machine to port 80 at
localhost.  The compromised machine doesn't have a webserver listening at
127.0.0.1:80 so the tcp stack replyes ACK RST and sends this packet to
your spoofed address.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-Disclosure] Cisco's stolen code, Seth Alan Woolley
Next by Date:  RE: [Full-Disclosure] Imaging Operating Systems, Williams Jon
Previous by Thread:  Re: [Full-Disclosure] Odd packet?, Mike Klinke
Next by Thread:  Re: [Full-Disclosure] Odd packet?, Valentino Squilloni - Ouz
Indexes:  [Date] [Thread] [Top] [All Lists]