RE: Bizarre traffic

---

• From: "David Gillett" <gillettdavid@xxxxxxxx>
• Date: Mon, 27 Feb 2006 16:20:24 -0800

---

There is progress. The suspect traffic turns out to be *from*
port 443, not to it as I had erroneously believed my sniffer to
be indicating.
I've also now captured the bogie responding to ARP requests
for the servers in question -- this looks close enough to how
Ettercap behaves that I'm now treating it as that.

The disruption is occurring because, have ARP-poisoned traffic
into coming to its port, the bogie is forwarding it via a local
broadcast. Except this is on a large VLAN, and that broadcast
traffic is flooding the whole network....

NOW, all I have to do is catch the %$@$ machine. I had black-
holed the MAC address at the switch where the traffic first
appeared, but today it was back from somewhere else.

David Gillett

-----Original Message-----
From: David Gillett [mailto:gillettdavid@xxxxxxxx]
Sent: Thursday, February 09, 2006 9:57 AM
To: incidents@xxxxxxxxxxxxxxxxx
Subject: Bizarre traffic

Does anybody know of anything (malware, hackware, other?)
that would cause a machine to put out traffic with the first
octet of the destination address (re)set to ZERO?

The traffic I saw all was headed for port 443, and wasn't
decipherable. The variation in packet size looked like a
real conversation, although return packets (if any) weren't
passing my sniffer. The destination addresses, sans the
bogus first octet, looked like addresses of a couple of real
internal servers (source address was internal) -- which,
however, do not have HTTPS service active.

[This traffic correlated with various intermittent
disruptions of our network, which stopped when the source
machine dropped off the network. It later reappeared -- and
so did a brief disruption -- long enough for me to pinpoint
and ban it.]

David Gillett

---

• References:
  • Bizarre traffic
    • From: David Gillett

• Prev by Date: Re: R: How to determine which PHP-script allows spamming?
• Next by Date: Strange Traffic to ports 139 and 137 from a machine with no data
• Previous by thread: RE: Bizarre traffic
• Next by thread: Re: RE: Bizarre traffic
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Outgoing Port Check ... run nmap on the inside. ... One the sniffer, limit the sniffing to the host ... Subject: Outgoing Port Check ... Cenzic Hailstorm finds vulnerabilities fast. ... (Pen-Test) Re: xmlrpc problems ... When I run your server and client I ... for "sniffer.connect" returns a Sniffer object, ... @port = port ... (comp.lang.ruby) ftp was hacked ... a sniffer and a port scanner on my machine. ... port scans coming from my machine and wanted to know what was going on. ... A few days later I wanted to install a later version of hdparm. ... (comp.os.linux.security) RE: sniffer in promiscuous mode ... Are you in a switched environment? ... traffic from one port to another) so the port with the sniffer gets copies ... Subject: sniffer in promiscuous mode ... Is there something else I have to do to capture TCP packets? ... (Security-Basics) Re: [opensuse] replaying a recorded network sniff ... Using a sniffer to record network traffic from a specific computer on the lan. ... I need to reconstruct a playable file from the streamed webcam. ... there may be a "mirror" port that can be configured to ... (SuSE)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)