Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: DOD Inside

from [Jamie Riden] Network Security [Permanent Link]
Subject: Re: DOD Inside
Date: Tue, 11 Apr 2006 09:33:20 +1200 
On 11/04/06, Frank Knobbe <frank@knobbe.us> wrote:

On Sat, 2006-04-08 at 02:18 +0000, mailcentre2@gmail.com wrote:

Having read about the DoD IP issues in here, I thought I might add my 0.02:

My router logs from the 28-03-2006 show a very strange sequence of port 
attempts.

Tue, 2006-03-28 05:20:52 - UDP Packet - Source:7.12.12.16,13364 
Destination:xx.xx.xx.xx,1035 - [DOS]
Tue, 2006-03-28 11:22:41 - UDP Packet - Source:7.12.12.16,13364 
Destination:xx.xx.xx.xx,1033 - [DOS]
Tue, 2006-03-28 11:22:41 - UDP Packet - Source:7.12.12.16,13364 
Destination:xx.xx.xx.xx,1035 - [DOS]
Tue, 2006-03-28 17:25:53 - UDP Packet - Source:7.12.12.16,13364 
Destination:xx.xx.xx.xx,1033 - [DOS]
[...]


These look like MS messenger pop-up spam (starting at port 1025 and now
going into the mid/high-30s). The source address is likely spoofed. If
you take a look at these packets with ngrep or tcpdump, I'm sure you
find either advertising or a message saying your computer is infected
and you need to visit a certain web site.

I doubt the source is real, and wouldn't worry about it. That's the
stuff firewalls are supposed to filter :)


Something like this perhaps? Someone's using source port 0 for the
ones I'm getting for some reason.

14:01:13.108084 IP xxx.yyy.196.38.0 > example.com.1025: UDP, length: 482
        0x0000:  4500 01fe 5972 0000 3611 7129 8cfb c426  E...Yr..6.q)...&
        0x0010:  48e8 1e4a 0000 0401 01ea 0000 0400 7800  H..J..........x.
        0x0020:  1000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0030:  0000 0000 f891 7b5a 00ff d011 a9b2 00c0  ......{Z........
        0x0040:  4fb6 e6fc 0000 0000 0000 0000 0000 0000  O...............
        0x0050:  0000 0000 0000 0000 0100 0000 0000 0000  ................
        0x0060:  0000 ffff ffff 8f01 0000 0000 0a00 0000  ................
        0x0070:  0000 0000 0a00 0000 4d69 6372 6f73 6f66  ........Microsof
        0x0080:  7400 0000 2300 0000 0000 0000 2300 0000  t...#.......#...
        0x0090:  696e 666f 726d 2079 6f75 2061 626f 7574  inform.you.about
        0x00a0:  2061 2076 6972 7573 2064 6574 6563 7469  .a.virus.detecti
        0x00b0:  6f6e 0000 3901 0000 0000 0000 3901 0000  on..9.......9...
        0x00c0:  5741 524e 494e 4721 2120 5265 6769 7374  WARNING!!.Regist
        0x00d0:  7279 2045 7272 6f72 7320 6d61 7920 6465  ry.Errors.may.de
        0x00e0:  7465 6374 206f 6e20 796f 7572 2050 4321  tect.on.your.PC!
        0x00f0:  0a0a 5265 6769 7374 7279 2065 7272 6f72  ..Registry.error
        0x0100:  7320 6361 6e20 6361 7573 6520 6672 6571  s.can.cause.freq
        0x0110:  7565 6e74 2061 7070 6c69 6361 7469 6f6e  uent.application
        0x0120:  2063 7261 7368 6573 2c20 6465 6772 6164  .crashes,.degrad
        0x0130:  650a 7065 7266 6f72 6d61 6e63 6520 616e  e.performance.an
        0x0140:  6420 696e 7374 6162 696c 6974 792e 0a0a  d.instability...
        0x0150:  546f 2066 6978 2072 6567 6973 7472 7920  To.fix.registry.
        0x0160:  6572 726f 7273 2064 6f20 7468 6520 666f  errors.do.the.fo
        0x0170:  6c6c 6f77 696e 673a 2020 2020 2020 200a  llowing:........
        0x0180:  2d2d 2044 6f77 6e6c 6f61 6420 5265 6769  --.Download.Regi
        0x0190:  7374 7279 2043 6c65 616e 6572 2066 726f  stry.Cleaner.fro
        0x01a0:  6d3a 2020 6874 7470 3a2f 2f77 7777 2e72  m:..http://www.r
        0x01b0:  6567 7375 7064 6174 652e 636f 6d20 200a  egsupdate.com...
        0x01c0:  090a 4641 494c 5552 4520 544f 2041 4354  ..FAILURE.TO.ACT
        0x01d0:  204d 4159 204c 4541 4420 544f 2044 4154  .MAY.LEAD.TO.DAT
        0x01e0:  4120 4c4f 5353 2041 4e44 2043 4f52 5255  A.LOSS.AND.CORRU
        0x01f0:  5054 494f 4e21 0a0a 0000 0000 0000       PTION!........

cheers,
 Jamie
--
Jamie Riden / jamesr@europe.com / jamie.riden@computer.org
"Microsoft: Bringing the world to your desktop - and your desktop to
 the world." -- Peter Gutmann
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only, Roland Dobbins
Next by Date:  Re: Bogon IPs traffic only seen by netflow, confined within a VLANonly, Stef
Previous by Thread:  Re: DOD Inside, Frank Knobbe
Next by Thread:  Bogon IPs traffic only seen by netflow, confined within a VLAN only, Stef
Indexes:  [Date] [Thread] [Top] [All Lists]