Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Localhost packets on WAN

from [Kirby Angell] Network Security [Permanent Link]
Subject: Localhost packets on WAN
Date: Wed, 29 Sep 2004 00:37:40 -0500 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Once on the 26th and 8 times today we received packets from 127.0.0.1:80
to an ephemeral port on one of our WAN IPs.  The one on the 26th was
odd, but the ones today were very similar.  They came in pairs, usually
about 10 minutes apart for each packet in the pair.  The pairs were
about 1 hour apart.

The TTLs are all 121 which I make for a Windows box about 7 hops away.
The packets today all looked almost identical to the one at the end of
this message. The only differences are the ID field and the ephemeral
port the packet went to.  They all have the RST/ACK flags set.  I
checked a few of them, and there was no other traffic to/from that port
anywhere near the time the bogus packets came in.

I'm going to be checking in the morning to see what my firewall would do
with these sorts of packets, hopefully it is just throwing them away.
Any ideas on what this is about?  Some sort of recon, or other precursor
to something I won't like?

No.     Time                       Source                Destination
~       Protocol Info
~      4 2004-09-28 17:14:32.558443 127.0.0.1             WAN_IP
TCP      http > 1245 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0

Frame 4 (60 bytes on wire, 60 bytes captured)
~    Arrival Time: Sep 28, 2004 17:14:32.558443000
~    Time delta from previous packet: 1835.696862000 seconds
~    Time since reference or first frame: 185412.560781000 seconds
~    Frame Number: 4
~    Packet Length: 60 bytes
~    Capture Length: 60 bytes
Ethernet II, Src: 00:b0:64:2f:64:c1, Dst: 00:0e:db:00:1b:15
~    Destination: 00:0e:db:00:1b:15 (Xincom_00:1b:15)
~    Source: 00:b0:64:2f:64:c1 (Cisco_2f:64:c1)
~    Type: IP (0x0800)
~    Trailer: 000000000000
Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: WAN_IP
(WAN_IP)
~    Version: 4
~    Header length: 20 bytes
~    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
~        0000 00.. = Differentiated Services Codepoint: Default (0x00)
~        .... ..0. = ECN-Capable Transport (ECT): 0
~        .... ...0 = ECN-CE: 0
~    Total Length: 40
~    Identification: 0x9d01 (40193)
~    Flags: 0x00
~        0... = Reserved bit: Not set
~        .0.. = Don't fragment: Not set
~        ..0. = More fragments: Not set
~    Fragment offset: 0
~    Time to live: 121
~    Protocol: TCP (0x06)
~    Header checksum: 0xfff1 (correct)
~    Source: 127.0.0.1 (127.0.0.1)
~    Destination: WAN_IP (WAN_IP)
Transmission Control Protocol, Src Port: http (80), Dst Port: 1245
(1245), Seq: 0, Ack: 0, Len: 0
~    Source port: http (80)
~    Destination port: 1245 (1245)
~    Sequence number: 0    (relative sequence number)
~    Acknowledgement number: 0    (relative ack number)
~    Header length: 20 bytes
~    Flags: 0x0014 (RST, ACK)
~        0... .... = Congestion Window Reduced (CWR): Not set
~        .0.. .... = ECN-Echo: Not set
~        ..0. .... = Urgent: Not set
~        ...1 .... = Acknowledgment: Set
~        .... 0... = Push: Not set
~        .... .1.. = Reset: Set
~        .... ..0. = Syn: Not set
~        .... ...0 = Fin: Not set
~    Window size: 0
~    Checksum: 0x9817 (correct)


- --
Thank you,

Kirby Angell
Get notified anytime your website goes down!
http://www.alertra.com
key: 9004F4C0
fingerprint: DD7E E88D 7F50 2A1E 229D  836A DB5B A751 9004 F4C0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBWkok21unUZAE9MARAi3uAKCCPnuPxPpjNb8Ly7nrLGQgeSmx+gCfVnW+
jaWle8DnH+0n5ZZbtiToH5I=
=J2PH
-----END PGP SIGNATURE-----

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  data payload in SYN (Re: DoS/DDoS on port 1863(MSN protocol)), Martin Mačok
Next by Date:  RE: Localhost packets on WAN, James C Slora Jr
Previous by Thread:  RE: DoS/DDoS on port 1863(MSN protocol), Arun Vishwanathan
Next by Thread:  RE: Localhost packets on WAN, James C Slora Jr
Indexes:  [Date] [Thread] [Top] [All Lists]