Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[

From: Ryan Yagatich (ryanyat_private)
Date: Sat Oct 19 2002 - 09:26:50 PDT

Next message: sfustonat_private: "Re: W2K Compromise - PipeCmdSrv"

Previous message: H C: "Re: a different, stranger port 137 activity"
In reply to: Melt Man: "unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr["
Next in thread: James Williams: "Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr["
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mr man,
	I'm not certain about the 'Term_action', for I have not seen that 
before, however what I have seen is that on UDP port 1812 there are 
attempts to communicate with hosts that have been compromised by the 
openssl worm (i believe the 'cinik' variant). 
	If you haven't been keeping up on the thread, the worm is 
targetting openssl servers (like apache+ssl) and after the compromise 
files are left in /tmp named phrases like '.cinik', '.bugtraq.c', '.ink', 
and so on. A key element in identifying these files are that they are 
owned by the user that is running the webserver (i.e. nobody) and that 
usually you will find a binary or its source hanging around as well 
(.cinik.go, .cinik.c, .cinik, .cinik.uu) and .font-unix/.cinik. You may 
also want to checkout /var/spool/cron/nobody and verify that its not 
calling the worm as well.
	This could, however, be legit traffic. for example NAS listens and 
receives TCP auth requests over port 1812. So, the question for this is: 
are you running a radius server / have you ever run a radius server. 
	Hope this steers you in the right direction, if not just ignore 
me.

Thanks,
Ryan Yagatich  <supportat_private>
        Pantek, Incorporated
 (877) LINUX-FIX - (440) 519-1802
===================================
A8 3B 80 FE A2 C5 98 8B 30 A1 5F 36
86 B9 E5 53 C0 1D A6 1A D3 DF 89 9B
===================================
  "It would be quite possible to
control a distant computer by means
   of a telephone line." -- Alan
          Turing, 1947


On 18 Oct 2002, Melt  Man wrote:

>Dear sir.
>
>I'm facing this packets continuously on my server.
>Can someone please explain me what these packets r and for what 
>they r used?
>is this possibly a DDOS attack??
>
>the sample tcpdump output is:
>
>20:32:22.658735 200.213.38.137.1812 > XX.XX.XX.XX.1812:  rad-#0 41 
>[id 0] Attr[  Term_action Term_action Term_action Term_ac
>tion Term_action Term_action Term_action Term_action Term_action 
>Term_action Term_action
>
>second time tcpdump
>
>20:39:57.168735 202.30.10.188.1812 > XX.XX.XX.XX.1812:  rad-#0 41 
>[id 0] Attr[  Term_action
>
>
>
>This Line Term_action goes on till infinity (or may b till run out 
>of buffers)
>
>Means these packets are coming from a different different Ip 
>addresses ...
>
>I'm not running anything on 1812 port (neither udp or tcp)
>Does above packet mean another protocol than udp/tcp ??
>
>can someone please explain me the above problem ...
>
>i'm getting worried about the traffic coming to my servers ....
>
>Thanking you,
>Mobby
>
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management 
>and tracking system please see: http://aris.securityfocus.com
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: sfustonat_private: "Re: W2K Compromise - PipeCmdSrv"
Previous message: H C: "Re: a different, stranger port 137 activity"
In reply to: Melt Man: "unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr["
Next in thread: James Williams: "Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr["
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Oct 20 2002 - 21:04:31 PDT