Security Incidents mailing list archives
Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[
From: Ryan Yagatich <ryany () pantek com>
Date: Sat, 19 Oct 2002 12:26:50 -0400 (EDT)
Mr man,
I'm not certain about the 'Term_action', for I have not seen that
before, however what I have seen is that on UDP port 1812 there are
attempts to communicate with hosts that have been compromised by the
openssl worm (i believe the 'cinik' variant).
If you haven't been keeping up on the thread, the worm is
targetting openssl servers (like apache+ssl) and after the compromise
files are left in /tmp named phrases like '.cinik', '.bugtraq.c', '.ink',
and so on. A key element in identifying these files are that they are
owned by the user that is running the webserver (i.e. nobody) and that
usually you will find a binary or its source hanging around as well
(.cinik.go, .cinik.c, .cinik, .cinik.uu) and .font-unix/.cinik. You may
also want to checkout /var/spool/cron/nobody and verify that its not
calling the worm as well.
This could, however, be legit traffic. for example NAS listens and
receives TCP auth requests over port 1812. So, the question for this is:
are you running a radius server / have you ever run a radius server.
Hope this steers you in the right direction, if not just ignore
me.
Thanks,
Ryan Yagatich <support () pantek com>
Pantek, Incorporated
(877) LINUX-FIX - (440) 519-1802
===================================
A8 3B 80 FE A2 C5 98 8B 30 A1 5F 36
86 B9 E5 53 C0 1D A6 1A D3 DF 89 9B
===================================
"It would be quite possible to
control a distant computer by means
of a telephone line." -- Alan
Turing, 1947
On 18 Oct 2002, Melt Man wrote:
Dear sir. I'm facing this packets continuously on my server. Can someone please explain me what these packets r and for what they r used? is this possibly a DDOS attack?? the sample tcpdump output is: 20:32:22.658735 200.213.38.137.1812 > XX.XX.XX.XX.1812: rad-#0 41 [id 0] Attr[ Term_action Term_action Term_action Term_ac tion Term_action Term_action Term_action Term_action Term_action Term_action Term_action second time tcpdump 20:39:57.168735 202.30.10.188.1812 > XX.XX.XX.XX.1812: rad-#0 41 [id 0] Attr[ Term_action This Line Term_action goes on till infinity (or may b till run out of buffers) Means these packets are coming from a different different Ip addresses ... I'm not running anything on 1812 port (neither udp or tcp) Does above packet mean another protocol than udp/tcp ?? can someone please explain me the above problem ... i'm getting worried about the traffic coming to my servers .... Thanking you, Mobby ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[ Melt Man (Oct 18)
- Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[ James Sneeringer (Oct 20)
- Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[ Ryan Yagatich (Oct 20)
- Re: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[ James Williams (Oct 22)
- <Possible follow-ups>
- RE: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[ James Williams (Oct 24)