Re: [Full-Disclosure] Odd packet?

From: Valentino Squilloni - Ouz (ouz_at_people.it)
Date: 05/25/04

  • Next message: VX Dude: "Re: [Full-Disclosure] Cisco's stolen code"
    To: full-disclosure@lists.netsys.com
    Date: Tue, 25 May 2004 23:10:08 +0200 (CEST)
    
    

    On Tue, 25 May 2004, Maarten wrote:

    > > Getting quite a few 127.0.0.1 on differing ports lately and I know it isn't
    > > originating FROM this machine. Haven't sniffed any packets but they come up
    > > in logs.
    >
    > Not saying what you see must be wrong but, if your routing / packetfilter /
    > kernelsettings were properly configured you would not ever get these packets
    > as they would be dropped before they would reach your machine.

    That's true. But maybe the OP dropped those packets (perhaps he does't
    know :-); i think so because he's speaking of logs.

    > If not your
    > ISP, then you (indeed everyone) should always drop packets coming from
    > interfaces they _cannot_ originate from. Antispoofing, that's called.

    Completely agree.

    > Especially 127.x.x.x is not routed by any ISP which is worth their name.

    But I've seen a lot of times those packet, especially the last year with
    blaster and DNS servers which resolved microsoftupdate.com in 127.0.0.1 to
    try to stop the DOS generated by blaster.

    In that case you saw packets coming to your ppp0, tun0 or whatsoever
    coming from 127.0.0.1:80

    Ouz

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: VX Dude: "Re: [Full-Disclosure] Cisco's stolen code"

    Relevant Pages

    • Re: Logs: Many hits with source port of 80
      ... I had checked my logs to see if there were any matching web sessions as ... usually these packets are a result of late packets arriving out of ... All hits have been from the same two hosts, ... > Subject: Logs: Many hits with source port of 80 ...
      (Incidents)
    • Re: DOD Inside
      ... Do you have logs of the actual packet contents or just these logs of the communication endpoints? ... What kind of a network is that router on? ... One remarkable fact about those packets is that the source port number is equal to 0x3434 in all cases and the destination port numbers were always quite near the 1024 boundary; except for one case, when it was port 139. ...
      (Incidents)
    • Re: Harvested TCPs of hackers
      ... It alerts you when unsolicited packets arrive at your computer. ... TCP is a protocol, not an address. ... Crackers (those hackers who have turned ... D-Shield or MyNetWatchman accept router and firewall logs, ...
      (microsoft.public.security)
    • RE: Logs: Many hits with source port of 80
      ... > The hits from source port 80 to dest port 37852 are IMHO almost ... which sends a few packets to the other end of the ... > their load balancer pays you a visit - you might look for inbound ... >> the IP addresses in my logs. ...
      (Incidents)
    • Re: computer misuse
      ... firewall logs, showing all incoming connections, all outgoing connections, ... There is no legal problem in keeping these logs. ... we need the logs of the outgoing packets so that if someone ... What we -cannot- do is blithely record packet streams *with the intent ...
      (comp.security.misc)