Port 1985 is used by Cisco routers for their HSRP High availability implementation. The word "p0rnst4r" is the passphrase used to authenticate members of the Failover group to eachother.
Regards. Barry -- Barry Irwin [EMAIL PROTECTED] Tel: +27214875178 Systems Administrator: Networks And Security iTouch TAS http://www.itouchlabs.com Mobile: +27824457210 ----- Original Message ----- From: "Mobius" <[EMAIL PROTECTED]> To: "Daniel Nyström" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, January 30, 2003 2:41 AM Subject: Re: Strange outgoing packets ... Check the IP address that these packets have been going to. See if its some sort of porno site, or someone's personal machine. You could well be "0wned" but its too early to make that assumption. If it IS going to a porno site, then check to see if you have any strange software on your machine, anything that could be designed to find and download porn. It happens from time to time, especially if anyone else uses your machine. Also, have you checked for Virii/Trojans since you saw that? At 11:04 AM 1/29/2003, Daniel Nyström wrote: >Hello! > >Fired up tcpdump the other day and caught this coming out of my Debian 3.0 >box... Looked around a little bit and saw that other people had the same >packets coming out of their boxxes as well.. allrighty then, I thought.. >until I decided to check the packet out a little bit more.. and this is >what I got: > >17:14:22.308564 <MYSERVERIP>.1985 > ALL-ROUTERS.MCAST.NET.1985: udp 20 >[tos 0xc0] >0x0000 45c0 0030 0000 0000 0211 4005 d572 c283 E..0......@..r.. >0x0010 e000 0002 07c1 07c1 001c 425c 0000 0803 ..........B\.... >0x0020 0a62 0100 7030 726e 7374 3472 d572 c281 .b..p0rnst4r.r.. > >Seems kinda trange that the word "p0rnst4r" is in that packet... Doesn't it? > >Anyone experienced this before? Or am I totally 0wned :) > >/Daniel Nyström