Re: BAD TRAFFIC 0 ttl

From: Jason Dixon (jasondixon@myrealbox.com)
Date: 08/23/02 

From: Jason Dixon <jasondixon@myrealbox.com>
To: serengeti@firstlinux.net
Date: 23 Aug 2002 13:43:41 -0400

http://www.networkcomputing.com/906/906ws22.html

-Jason

On Fri, 2002-08-23 at 09:15, seren geti wrote:
> Hello all,
>
> I've had this same pattern of traffic appear inside my network on four different occasions and I've found no answer as to what it is, I'm hoping someone here has seen something similar.
>
> This always happens over the midnight hour. The only things that vary are the length of time and number of different destination IPs. The destinations are always #.0.1.15. The source is usually 218 or 65.0.1.0, but always #.0.1.0. The packet data is always the same.
>
> Samples follow. Any thoughts are greatly appreciated.
>
> Thanks!
>
> Aug 22 23:43:00 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {IGP} 218.0.1.0 -> 14.0.1.15
> Aug 22 23:55:00 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {IGP} 218.0.1.0 -> 8.0.1.15
> Aug 22 23:57:23 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {SCC-SP} 135.222.10.2 -> 24.175.0.0
> Aug 22 23:58:47 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {MERIT-INP} 183.144.10.2 -> 29.90.0.0
> Aug 23 00:06:04 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {SEP} 65.0.1.0 -> 3.0.1.15
> Aug 23 00:07:00 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {IGP} 218.0.1.0 -> 4.0.1.15
> Aug 23 00:30:00 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {SEP} 65.0.1.0 -> 3.0.1.15
> Aug 23 00:31:00 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {IGP} 218.0.1.0 -> 11.0.1.15
> Aug 23 00:42:01 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {SEP} 65.0.1.0 -> 7.0.1.15
> Aug 23 00:43:01 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {IGP} 218.0.1.0 -> 0.0.1.15
> Aug 23 00:54:02 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {SEP} 65.0.1.0 -> 0.0.1.15
> Aug 23 00:55:00 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {IGP} 218.0.1.0 -> 4.0.1.15
>
>
>
> [**] BAD TRAFFIC 0 ttl [**]
> 08/23-00:06:04.127670 65.0.1.0 -> 3.0.1.15
> SEP TTL:0 TOS:0x0 ID:64698 IpLen:20 DgmLen:229
> Frag Offset: 0x142 Frag Size: 0xD1
> 00 8A 00 8A 00 D1 14 2B 11 1A 9B D4 0A 02 18 20 .......+.......
> 00 8A 00 BB 00 00 20 45 48 45 4F 46 4A 45 4D 46 ...... EHEOFJEMF
> 49 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 ICACACACACACACAC
> 41 43 41 43 41 43 41 00 20 45 4E 45 44 45 4D 45 ACACACA. ENEDEME
> 45 46 46 46 44 45 42 43 41 43 41 43 41 43 41 43 EFFFDEBCACACACAC
> 41 43 41 43 41 43 41 42 4E 00 FF 53 4D 42 25 00 ACACACABN..SMB%.
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 11 00 00 21 00 00 .............!..
> 00 00 00 00 00 00 00 E8 03 00 00 00 00 00 00 00 ................
> 00 21 00 56 00 03 00 01 00 00 00 02 00 32 00 5C .!.V.........2.\
> 4D 41 49 4C 53 4C 4F 54 5C 42 52 4F 57 53 45 00 MAILSLOT\BROWSE.
> 01 00 80 FC 0A 00 47 4E 59 4C 58 00 00 00 00 00 ......GNYLX.....
> 00 00 00 00 00 00 04 00 03 10 00 00 0F 01 55 AA ..............U.
> 00 .
>
>
>
> _____________________________________________________________
> Want a new web-based email account ? ---> http://www.firstlinux.net
>
> _____________________________________________________________
> Promote your group and strengthen ties to your members with email@yourgroup.org by Everyone.net http://www.everyone.net/?btn=tag
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • RE: Malicious web sites
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: [incident] IIS defacement through FTP, possible DoS
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: Distributed ICMP/UDP scan or attack?
    ... This list is provided by the SecurityFocus ARIS analyzer service. ... and tracking system please see: http://aris.securityfocus.com ... For more information on this free incident handling, management ...
    (Incidents)
  • Re: strange attacks - flood udp packets from 1030 to msql
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: Can anyone identify this backdoor?
    ... > and tracking system please see: http://aris.securityfocus.com ... This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management ...
    (Incidents)