Isn't there a new Trojan that's using ICMP to send back it's pilfered data? It's encrypted (if I remember correctly) so no clear-text reading of what's sent and that may explain why you're seeing the random data.
The padding of the same characters in individual packets may designate start/stop points in the transmission segments. Just my $.02... Brandon -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adriel T. Desautels Sent: Wednesday, August 16, 2006 10:30 AM To: Adriel T. Desautels Cc: [email protected]; [EMAIL PROTECTED] Subject: Re: [Full-disclosure] Re: ICMP DestinationUnreachable Port Unreachable Also, I failed to mention that they came in bursts of 3 every 5 minutes on the dot. Adriel T. Desautels wrote: > Well, > After over 100,000 alerts each with very different payloads the > traffic stopped. I do have a list of all of the dropped packets from my > firewall as well and it appears that it was hitting 3 IP addresses which > are public facing, not just one. The weird part, is that two of those > three aren't even live. So I think that this may have been noise from a > different attack... > > I'd be very interested in decoding the payloads for some of these. > Anyone here have any tools to do such a decode? I'd rather not do it > manual if at all possible. > > [EMAIL PROTECTED] wrote: > >> On Wed, 16 Aug 2006 12:33:13 BST, Barrie Dempster said: >> >> >>> Although the port 0 in this case is a red herring and irrelevant. Port 0 >>> itself when used with TCP/UDP (not ICMP!) can actually be used on the >>> Internet. A while back I modified netcat and my linux kernel so that it would >>> allow usage of port 0 and was able to connect to a remote machine via TCP >>> with that port and communicate fine. >>> >>> >> Of course, the poor security geek who see a TCP SYN from port 0 to port 0, >> and then a SYN+ACK reply back, will be going WTF??!? for the rest of the day. :) >> >> (Another good one to induce head-scratching is anything that does >> RFC1644-style T/TCP. Anytime you see a packet go by in one direction with >> SYN/FIN *and* data, and the reply has SYN/ACK/FIN and data.. ;) >> data on it... ;) >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > -- Regards, Adriel T. Desautels SNOsoft Research Team Office: 617-924-4510 || Mobile : 857-636-8882 ---------------------------------------------- Vulnerability Research and Exploit Development BullGuard Anti-virus has scanned this e-mail and found it clean. Try BullGuard for free: www.bullguard.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ This message is intended only for the person(s) to which it is addressed and may contain privileged, confidential and/or insider information. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Any disclosure, copying, distribution, or the taking of any action concerning the contents of this message and any attachment(s) by anyone other than the named recipient(s) is strictly prohibited. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
