Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[

From: James Sneeringer (james+incidentsat_private)
Date: Fri Oct 18 2002 - 22:07:57 PDT

Next message: Devdas Bhagat: "Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr["

Previous message: Hugo van der Kooij: "Re: HTTP attack looking for /sumthin ?"
In reply to: Melt Man: "unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr["
Next in thread: Devdas Bhagat: "Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr["
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Oct 18, 2002 at 01:31:15PM -0000, Melt  Man wrote:
> 20:32:22.658735 200.213.38.137.1812 > XX.XX.XX.XX.1812:  rad-#0 41 
> [id 0] Attr[  Term_action Term_action Term_action Term_ac
> tion Term_action Term_action Term_action Term_action Term_action 
> Term_action Term_action

This is probably the Slapper worm.  One variant of it uses udp/1812
to communicate with other infected servers.  However, udp/1812 is
registered for RADIUS authentication, and tcpdump knows that, so it's
trying to decode the packet as if it were a RADIUS authentication
request.  For more info:

    http://isc.incidents.org/analysis.html?id=175

-James

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Devdas Bhagat: "Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr["
Previous message: Hugo van der Kooij: "Re: HTTP attack looking for /sumthin ?"
In reply to: Melt Man: "unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr["
Next in thread: Devdas Bhagat: "Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr["
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Oct 20 2002 - 20:56:01 PDT