-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi
Thanks very much. The probably hacked windows 2000 servers have nothing to do with
debian though. I first thought of a false snort alarm of the debian box I
am using as a nids.
Goosh... Windoze is evil though...
Marcel
[EMAIL PROTECTED] wrote:
|>Today I had a whole bunch of large ICMP packages on the company's LAN (about 20).
|>Interesting is, that they came mostly from the Windows 2000 Servers. I
|>discovered the first of these packages 2 or 3 weeks ago.
|>These packets are long (2090 Bytes) and not filled with nulls, but with
|>more or less weird content. They have no "Don't fragment" flags set, so I
|>wonder where they come from and what they good for.
|>Has anybody seem such packets yet? (See attachment)
|
| Looking at your packet --
|
|
|>0000 00 e0 7d 8a 07 11 00 a0 c9 af bb 7f 08 00 45 00 ..}...........E.
|>0010 08 1c ff d7 00 00 80 01 e8 aa c0 a8 64 1e c0 a8 ............d...
|>0020 64 ef 00 00 bd d5 02 00 04 00 ff d8 ff fe 00 08 d...............
|>0030 57 41 4e 47 32 02 ff e0 00 10 4a 46 49 46 00 01 WANG2.....JFIF..
|>0040 01 01 00 60 00 60 00 00 ff db 00 43 00 10 0b 0c ...`.`.....C....
|>0050 0e 0c 0a 10 0e 0d 0e 12 11 10 13 18 28 1a 18 16 ............(...
|>0060 16 18 31 23 25 1d 28 3a 33 3d 3c 39 33 38 37 40 ..1#%.(:3=<9387@
|>0070 48 5c 4e 40 44 57 45 37 38 50 6d 51 57 5f 62 67 H\N@DWE78PmQW_bg
|
| [...cut...]
|
|>07f0 a7 fe 8c 6a cd f1 35 9d ee 91 af 47 e2 4d 36 06 ...j..5....G.M6.
|>0800 99 16 32 2f 23 0c 46 54 60 64 f3 9e 98 e8 30 36 ..2/#.FT`d....06
|>0810 64 d0 04 77 7e 35 3a bd ac 96 3e 1f b1 bc 92 f6 d..w~5:...>.....
|>0820 61 b0 33 28 5f 2d 4f 05 b2 ac a.3(_-O...
|
|
| This looks like a JPG picture !
| -- I cut out the data from this packet-dump into a file --
| STARTING from location 0034 -- starting from the "2" after "WANG" --
| so file starts with [32 02 ff e0 00 10 4a 46 49 46] ("2.....JFIF") --
| upto the end of the packet....
| all looks very like a JPG file -- except it starts with [32 02] --
| I replaced the first 2 bytes in the file with [FF D8] (correct start of
| JPG file -- this JPG displays -- appears to be an incomplete JPG of the
| 3vil word "Microsoft" -- except some of the jpg cut-off/not-shown (may
| not display in some jpg-viewers therefore).
|
| Hangon.. surely this message is off-topic -- what does this have to do
| with debian-linux ??
|
| Heh.. This is first time I've posted to a mailing list actually.. thinking
| abuot it =).
|
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
iD8DBQE92YIR1EXMUTKVE5URAg7NAJ4183MavSgzk1kCtmj2eLZ2uV+W+ACgtbhI
KLSxi0QgFtCguXOvW8tpDNA=
=6U4A
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
