Full Disclosure mailing list archives
Re: Broadcast storm in my network/ any ideas
From: "J.A. Terranson" <measl () mfn org>
Date: Thu, 22 Dec 2005 12:27:46 -0600 (CST)
On Thu, 22 Dec 2005, wilder_jeff Wilder wrote:
All, I have a Windows 2000 terminal server that is consistantly sending out broadcasts to 255.255.255.255:111... below is a capture from a snort box I have running. In the last 18 hours I have had about 2000 packets from this box to this address about every 30 seconds.
Jeff, FYI - a "Broadcast storm" is a Loooooonnnngggggg way from 200 packets over 18 hours. Most people would hesitate to class this level of traffic as a "nuisance", let alone a "broadcast storm'. Notwithstanding the obvious error in terminology, 111 is the port isn't a port that I would expect a Winblows box to be talking to (usually for *nix portmapper services). In this case, your most reasonable course of action would be to examine the box and try to determine what process is binding to the port. Personally, I'd pull it off the wire under the presumption it's been compromised, until proven otherwise (or unless you have services for Unix installed. -- Yours, J.A. Terranson sysadmin () mfn org 0xBD4A95BF Just once, can't we have a nice polite discussion about the logistics and planning side of large criminal enterprise? - Steve Thompson _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: new attack technique? using JavaScript+XML+OWSPost Data, (continued)
- Re: new attack technique? using JavaScript+XML+OWSPost Data name pipe (Dec 22)
- Re: new attack technique? using JavaScript+XML+OWSPost Data Gaurav Kumar (Dec 22)
- Re: new attack technique? using JavaScript+XML+OWSPost Data Test Drive (Dec 22)
- RE: new attack technique? usingJavaScript+XML+OWSPost Data Debasis Mohanty (Dec 22)
- RE: new attack technique? usingJavaScript+XML+OWSPost Data Debasis Mohanty (Dec 22)
- RE: new attack technique? using JavaScript+XML+OWSPost Data Debasis Mohanty (Dec 22)
- Re: new attack technique? using JavaScript+XML+OWSPost Data Test Drive (Dec 22)
- Broadcast storm in my network/ any ideas wilder_jeff Wilder (Dec 22)
- Re: Broadcast storm in my network/ any ideas 3APA3A (Dec 22)
- Re: Broadcast storm in my network/ any ideas TheGesus (Dec 22)
- Re: Broadcast storm in my network/ any ideas J.A. Terranson (Dec 22)
- Re: new attack technique? usingJavaScript+XML+OWSPost Data Morning Wood (Dec 22)
- Re: new attack technique? usingJavaScript+XML+OWSPost Data Abhisek Datta (Dec 22)
- Re: [WEB SECURITY] RE: new attack technique? using JavaScript+XML+OWSPost Data Gaurav Kumar (Dec 22)