Re: Strange outgoing packets ...

From: Mobius (Mobius@PlaneofChaos.net)
Date: 01/30/03

  • Next message: Flory D Jeffrey Contractor 59MDSS/MSISI: "secure vpn or telnet sessions" 
    Date: Wed, 29 Jan 2003 19:41:26 -0500
To: Daniel Nyström <exce@netwinder.nu>
From: Mobius <Mobius@PlaneofChaos.net>

    Check the IP address that these packets have been going to. See if its
    some sort of porno site, or someone's personal machine. You could well be
    "0wned" but its too early to make that assumption.

    If it IS going to a porno site, then check to see if you have any strange
    software on your machine, anything that could be designed to find and
    download porn. It happens from time to time, especially if anyone else
    uses your machine. Also, have you checked for Virii/Trojans since you saw
    that?

    At 11:04 AM 1/29/2003, Daniel Nyström wrote:
    >Hello!
    >
    >Fired up tcpdump the other day and caught this coming out of my Debian 3.0
    >box... Looked around a little bit and saw that other people had the same
    >packets coming out of their boxxes as well.. allrighty then, I thought..
    >until I decided to check the packet out a little bit more.. and this is
    >what I got:
    >
    >17:14:22.308564 <MYSERVERIP>.1985 > ALL-ROUTERS.MCAST.NET.1985: udp 20
    >[tos 0xc0]
    >0x0000 45c0 0030 0000 0000 0211 4005 d572 c283 E..0......@..r..
    >0x0010 e000 0002 07c1 07c1 001c 425c 0000 0803 ..........B\....
    >0x0020 0a62 0100 7030 726e 7374 3472 d572 c281 .b..p0rnst4r.r..
    >
    >Seems kinda trange that the word "p0rnst4r" is in that packet... Doesn't it?
    >
    >Anyone experienced this before? Or am I totally 0wned :)
    >
    >/Daniel Nyström

    Relevant Pages

    • Re: Strange outgoing packets ...
      ... The word "p0rnst4r" is the passphrase used to authenticate members of the ... Check the IP address that these packets have been going to. ... If it IS going to a porno site, then check to see if you have any strange software on your machine, anything that could be designed to find and download porn. ... At 11:04 AM 1/29/2003, Daniel Nyström wrote:>Hello! ...
      (Security-Basics)
    • Re: Yet another thread on the legality of port scanning
      ... Which portthe packets are sent to is ... If I do a "nice", normal portscan on a host - via TCP, UDP or ICMP I am ... This sort of behavior is ... If I try to flood your host with abnormally LARGE ICMP packets endlessly ...
      (Security-Basics)
    • Re: Lot of traffic with source port TCP/84
      ... The packets are small ... index the stats pages. ... the paylod is almost always a string of NULL's:-/ ... I'm thinking a string of NULL's coould be some sort of buffer overflow ...
      (comp.os.linux.security)
    • Re: MTU question
      ... comp.protocols.ppp about an email or networking problem? ... Some hints about what sort of computer you're using, ... Some sites have intentional size limits on email messages. ... more packets in and out, not even a ping -- then it's possibly ...
      (comp.protocols.ppp)
    • RE: device polling takes more CPU hits??
      ... what sort of testing did you do to ... >> settings? ... > size (which basically amortizes some CPU costs) has little if any ... to the CPU for small packets. ...
      (freebsd-net)