With it cooresponding to network disruptions, similar IPs on your net and conversations looking normal otherwise, have you considered it a router/switch corrupting packets? Or even the a bad NIC in a machine?
-B On 2/9/06, David Gillett <[EMAIL PROTECTED]> wrote: > Does anybody know of anything (malware, hackware, other?) that > would cause a machine to put out traffic with the first octet of > the destination address (re)set to ZERO? > > The traffic I saw all was headed for port 443, and wasn't > decipherable. The variation in packet size looked like a real > conversation, although return packets (if any) weren't passing > my sniffer. The destination addresses, sans the bogus first octet, > looked like addresses of a couple of real internal servers (source > address was internal) -- which, however, do not have HTTPS service > active. > > [This traffic correlated with various intermittent disruptions of > our network, which stopped when the source machine dropped off the > network. It later reappeared -- and so did a brief disruption -- > long enough for me to pinpoint and ban it.] > > David Gillett > > >
