Re: Strange Activity

From: Johannes B. Ullrich (jullrichat_private)
Date: Tue May 01 2001 - 17:49:41 PDT

Next message: H C: "Re: Strange Activity"

Previous message: Alfred Huger: "Administrivia - Thanks"
In reply to: Spookah .: "Strange Activity"
Next in thread: Valdis Kletnieks: "Re: Strange Activity"
Next in thread: H C: "Re: Strange Activity"
Reply: Valdis Kletnieks: "Re: Strange Activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Looks like IRC traffic based on the ports used. Did you use IRC
at the time?

- ---
Johannes Ullrich            Join http://www.dshield.org
jullrichat_private
GPG Key ID: AE692033  Key: http://johannes.homepc.org/pgp.htm
- ---


- -----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTSat_private]On
Behalf Of Spookah .
Sent: Tuesday, May 01, 2001 7:58 PM
To: INCIDENTSat_private
Subject: Strange Activity


While remotly connected to my home machine, I noticed alot of lag.  I
executed a 'netstat -a' which showed me nothing out of the ordinary.
But
when I started tcpdump I saw traffic which I could not account for.

Here is a snip of my tcpdump log..
Key: x.x.x.x = my ip

16:26:14.957566 24.109.6.174.6700 > x.x.x.x.63781: tcp 0 (DF)
16:26:14.958509 x.x.x.x.63781 > 24.109.6.174.6700: tcp 1460 (DF)
16:26:14.959240 x.x.x.x.63781 > 24.109.6.174.6700: tcp 588 (DF)
16:26:15.155428 24.109.6.174.6700 > x.x.x.x.63781: tcp 0 (DF)
16:26:15.156308 x.x.x.x.63781 > 24.109.6.174.6700: tcp 1460 (DF)
16:26:15.157046 x.x.x.x.63781 > 24.109.6.174.6700: tcp 588 (DF)
16:26:15.242682 172.150.125.247.6688 > x.x.x.x.63783: tcp 0 (DF)
16:26:15.286571 172.174.174.84.6700 > x.x.x.x.63780: tcp 0 (DF)
16:26:15.443723 172.150.125.247.6688 > x.x.x.x.63783: tcp 0 (DF)
16:26:15.448809 x.x.x.x.63783 > 172.150.125.247.6688: tcp 1360 (DF)
16:26:15.449510 x.x.x.x.63783 > 172.150.125.247.6688: tcp 688 (DF)
16:26:15.479993 172.174.174.84.6700 > x.x.x.x.63780: tcp 0 (DF)
16:26:15.485314 x.x.x.x.63780 > 172.174.174.84.6700: tcp 1360 (DF)

I was unable to capture any of the packets, and a nmap of my machine
showed
no unusual ports open.  Anyone have any ideas on what this could have
been?

Thanks in advance,
Spookah
Network Technician
Linux Administrator
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8

iQA/AwUBOu9ZcFTiIsyuaSAzEQIX8QCgsXTAB+ibyQegl1eeMVxfNQzVb7UAn3hg
ngrKHwPTREwClYqxBaKFqWc7
=9Bn5
-----END PGP SIGNATURE-----

Next message: H C: "Re: Strange Activity"
Previous message: Alfred Huger: "Administrivia - Thanks"
In reply to: Spookah .: "Strange Activity"
Next in thread: Valdis Kletnieks: "Re: Strange Activity"
Next in thread: H C: "Re: Strange Activity"
Reply: Valdis Kletnieks: "Re: Strange Activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 01 2001 - 18:23:42 PDT