strange packets

From: Jason R. Seats (Jason.Seatsat_private)
Date: Mon Jun 25 2001 - 09:05:22 PDT

Next message: Andrew Kunz: "RE: IIS 4 inetinfo and system process port usage"

Previous message: jason: "Unicode Decode"
Next in thread: max: "Re: strange packets"
Reply: max: "Re: strange packets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I also posted on the ids list last week-

I recently came across several packets resembling this while tcpdumping.

14:35:10.076207 0:50:8b:f0:13:15 1:0:5e:1:2:3 ip 116: 192.168.50.46.402
> 225.1.2.3.402:  udp 74
                         4500 0066 07df 0000 2011 bccd c0a8 322e
                         e101 0203 0192 0192 0052 efee 5265 7175
                         6573 743d 4765 7453 6572 7665 720a 4d41
                         432d 4164 6472 6573 733d 3030 3530 3842
                         4630 3133 3135 0a41 6464 6c2d 4d41 432d
                         4164 6472 6573 733d 3030 3530 3842 4630
                         3133 3135 0a00

All the packets were 192.168.50.*:402 -> 225.1.2.3:402 
and when decoding the contents they are carrying:

>Request=GetServer
>MAC-Address=00508BF01315
>Addl-MAC-Address=00508BF01315

If you notice, that is the MAC of the 192. machine that sent the
packet.  There were no responses from the 225. addy, but several packets
like this sent.

Look familiar to anyone?

Thanks in advance.
-- 
Jason Seats
Information Security Software Engineer
TechGuard Security
jason.seatsat_private
www.techguardsecurity.com
636-519-4848

Next message: Andrew Kunz: "RE: IIS 4 inetinfo and system process port usage"
Previous message: jason: "Unicode Decode"
Next in thread: max: "Re: strange packets"
Reply: max: "Re: strange packets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 25 2001 - 12:55:03 PDT