On Fri, 30 May 2003 18:13:11 EDT, Jeff Adams <JAdamsat_private> said: > > > what is strange is that the cmd.exe / root.exe stuff is half way > > through with some other code before it the ip it hit was not mapped to > > > anything ( I believe it is unused) so this can not have been part of > > another tcp converstion any ideas ? > > I have been seeing similar odd cmd.exe packets as well.=20 > > It looks like part of a Code Red or a new variant. > > Anyone else seeing the same? You know, it *IS* possible for a router to accidentally mangle the destination IP address undetected - the checksum on the IP header isn't foolproof. So suddenly the packet is headed off to some new address with one or two bits different. Instead of heading to 64.119.12.9, it's now heading to 192.119.12.9. Whoops. ;) Usually, this isn't a problem, because the following will happen: 1) The erroneous destination box throws an RST packet back because it's never heard of the connection. 1a) The original source deep-sixes the RST because it's from a host it's not talking to. 2) The original source doesn't get an ACK, and retransmits, and all is fine. Not saying this *IS* the explanation, and it probably isn't if OTHER people are seeing 'second packets only' symptoms - but I *have* seen this sort of thing in production (fortunately, it was a bad memory card on a router giving us a steady/intermittent stream of bogon packets so we could backtrace).
This archive was generated by hypermail 2b30 : Sun Jun 01 2003 - 21:53:03 PDT