Security Incidents mailing list archives
Interesting packets
From: "Jeremy Junginger" <jjunginger () usbestcrm com>
Date: Mon, 16 Sep 2002 08:30:48 -0700
I've been tracing these packets for a while now, and am having a bit of trouble deciphering what's happening. It appears that this host is attempting to contact an external host over udp port 8197 where the firewall blocks it. Interesting points are: It looks like host x.x.x.4 is initiating a udp session with 68.60.32.5 over port 8197. We block this port with egress filtering at the firewall, as it is not a dataflow we utilize in our production systems. Anybody deciphered similar alerts? Generated by ACID v0.9.6b21 on Mon September 16, 2002 08:02:58 ------------------------------------------------------------------------ ------ #(1 - 8399) [2002-09-16 06:50:18] ICMP Destination Unreachable (Communication Administratively Prohibited) IPv4: 68.60.32.249 -> x.x.x.4 hlen=5 TOS=0 dlen=56 ID=2147 flags=0 offset=0 TTL=241 chksum=31000 ICMP: type=Destination Unreachable code=Packet Filtered checksum=42554 id= seq= Payload: length = 32 000 : 00 00 00 00 45 00 00 3D 78 26 00 00 70 11 8B 34 ....E..=x&..p..4 010 : AC 10 37 04 44 3C 20 05 0F 72 00 35 00 29 46 E8 ..7.D< ..r.5.)F. Original IP information: UDP x.x.x.4 x.xyz.com 17468 68.60.32.5 ns01.pntiac01.mi.comcast.net 8197 -Jeremy ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Interesting packets Jeremy Junginger (Sep 16)
- <Possible follow-ups>
- RE: Interesting packets Boyan Krosnov (Sep 17)
- RE: Interesting packets Semerjian, Ohanes (Sep 18)
- Re: Interesting packets Marcelo Barbosa Lima (Sep 17)