Re: Solegg ?

[xian () mat uni torun pl]

Cytowanie David Gillett <gillettdavid () fhda edu>:

>   I recently attempted to contact this forum about strange traffic
> coming from one of our hosts.  (My message was rejected without
> explanation.)  The host was sending out ICMP Echo-Reply packets
> which contained the keyword "skillz" and about 1K of null bytes.
> No ICMP Echo-Request packets were seen eliciting these.
>
>   This week, continuing to research this machine, I found that it
> was also the source of bursts of traffic from (spoofed) 127.0.0.x
> addresses to 108.122.0.0, in a ragen marked "reserved" by IANA.
> A Google search shows that other sites had seen such traffic going
> back as far as 2002, but I could not find any indication that its
> cause had been positively identified.
>
>   I still don't know for certain that this box was the victim of
> a single infestation, but the possibility that these are symptoms
> of the same compromise may be worth considering.

> From Your descrtiption it seems like some 'call home'. Did You notice any other
suspicious traffic from / to this machine ?
Maybe You could provide more info eg tcpdump output ?
greetings 
Jan 

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS dx s+:+ a-- c++ UL++++ UB++ P+++ L++ E- W++ N++ w O tv-- b+ DI++ D+ G e h!
r++ y?
------END GEEK CODE BLOCK------

---------------------------------------------------------------------------
----------------------------------------------------------------------------