Re: mystery martian source from 127.0.0.1 - more details

EricT wrote:
>
> Frame 1 (60 bytes on wire, 60 bytes captured)
> Arrival Time: Dec 8, 2005 22:33:57.-11226009
> Time delta from previous packet: 0.000000000 seconds
> Time since reference or first frame: 0.000000000 seconds
> Frame Number: 1
> Packet Length: 60 bytes
> Capture Length: 60 bytes
> Protocols in frame: eth:ip:tcp
> Ethernet II, Src: Cisco_8d:98:70 (00:09:7b:8d:98:70), Dst: 3com_48:2c:65
> (00:01:03:48:2c:65)
> Destination: 3com_48:2c:65 (00:01:03:48:2c:65)
> Source: Cisco_8d:98:70 (00:09:7b:8d:98:70)
> Type: IP (0x0800)
> Trailer: 000000000000
> Internet Protocol, Src: 127.0.0.1 (127.0.0.1), Dst: 80.219.238.182
> (80.219.238.182)
> Version: 4
> Header length: 20 bytes
> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
> .... ..0. = ECN-Capable Transport (ECT): 0
> .... ...0 = ECN-CE: 0
> Total Length: 40
> Identification: 0x25b1 (9649)
> Flags: 0x00
> 0... = Reserved bit: Not set
> .0.. = Don't fragment: Not set
> ..0. = More fragments: Not set
> Fragment offset: 0
> Time to live: 126
> Protocol: TCP (0x06)
> Header checksum: 0x5d81 [correct]
> Good: True
> Bad : False
> Source: 127.0.0.1 (127.0.0.1)
> Destination: 80.219.238.182 (80.219.238.182)
> Transmission Control Protocol, Src Port: http (80), Dst Port:
> eicon-server (1438), Seq: 0, Ack: 0, Len: 0
> Source port: http (80)
> Destination port: eicon-server (1438)
> Sequence number: 0 (relative sequence number)
> Acknowledgement number: 0 (relative ack number)
> Header length: 20 bytes
> Flags: 0x0014 (RST, ACK)
> 0... .... = Congestion Window Reduced (CWR): Not set
> .0.. .... = ECN-Echo: Not set
> ..0. .... = Urgent: Not set
> ...1 .... = Acknowledgment: Set
> .... 0... = Push: Not set
> .... .1.. = Reset: Set
> .... ..0. = Syn: Not set
> .... ...0 = Fin: Not set
> Window size: 0
> Checksum: 0x796e [correct]
>
> ...

I've seen lots of poorly-configured BMC Patrol agents send crap with
source addresses 127.0.0.1 out non-lo interfaces. Since the R flag is
set here and since there's no data, I doubt it's an attack. Somebody
close to you (i.e., in your neighborhood and on the same cable system)
probably just has a stupidly-configured web server on their host or a
stupidly-configured NAT behind their cable modem.

The more interesting question is HOW they got YOUR address. Have you
been sweeping the neighborhood looking for web servers (maybe without
knowing it)?
.

Relevant Pages

  • PATCH: Remove file riowinif.h from rio driver (unused file)
    ... -/* The RUP (Remote Unit Port) structure relates to the Remote Terminal Adapters ... - CONFIG is sent from the driver to configure an already opened port. ... - Packet structure is same as OPEN. ... - of the specified port's RTA address space. ...
    (Linux-Kernel)
  • Re: General questions about Sockets
    ... > could I push it before I see the network slowing down and/or errors? ... Nagle/Delayed ACK interaction but you could confirm it with a packet ... > I can setup any port in my registry, but what would be the 'default' one I ... Google could confirm it. ...
    (microsoft.public.win32.programmer.networks)
  • RE: Strange replies on closed port
    ... port should be a RST - not dropping the packet. ... receiving an UDP datagram to a non 'listening' port. ... that message isn't generated by the end host, ... Connecting to a closed Port w/o Firewall: ...
    (Pen-Test)
  • Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?
    ... Your system initiated a connection. ... your computer sends a TCP packet with the SYN ... Process 912 on your system sent a packet from port 1058 ... hoping to connect to the web server running on port 80 ...
    (comp.security.firewalls)
  • Re: Full Plate of Crow
    ... upsurges in port 80 probes and actually ... > firewall is only telling it dropped a packet, not what was in the packet. ... infections based on the data Caida collected. ... > firewall logs, not IDS logs. ...
    (Incidents)