Ethereal-users: Re: [Ethereal-users] Covert Channel Detected?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Fri, 5 Nov 2004 21:09:21 +1100
Those packets are unlikely a threat to you, unless you first get infected.

I would say it is a management platform from an attacker that is
probing your hosts to see if they have a backdoor installed by a
trojan or something.

The packets themself are unlikely to be dangerous to you, since they
are only fragments and you never receive all the fragments to complete
a full IP PDU.
Thus they will never be even delivered past the IP layer of your stack.
BUT IF your host has some trojan or something installed, it is
possible that that trojan could monitor the network and reply back to
these incomplete fragments.
I.e. A covert method to get only infected hosts to reply.


If i were you i would
1, block off the entire c-net where the probes comes from.
2, IF suddenly you see any of your hosts suddenly sending something
back to that c-net    time toi reinstall every machine on site from
scratch.
3, report them to their provider.
4, block off everything coming from russia.






On Fri, 5 Nov 2004 01:48:59 -0800, Robinson, Eric <eric@xxxxxxxxx> wrote:
>  
>  
> 
> Today I noticed that one of my DMZ servers is receiving Fragmented IP
> Protocol packets from a class C subnet in Russia (83.102.166.X). The packets
> arrive at intervals of approximately 1-30 seconds, each from a random
> address in the same subnet, and all carry 25 bytes of UDP payload. 
> 
>   
> 
> I cannot think of a reason that my server (used only for HTTP and DNS)
> should be receiving such packets. None of my other DMZ servers are seeing
> them. 
> 
>   
> 
> It occurs to my paranoid mind that this could be evidence of a covert
> channel Trojan trying to make contact to my server. If so, then my server is
> apparently ignoring it. At least, it does not send any packets back to the
> same subnet. However the packets (probes?) keep coming. 
> 
>   
> 
> Has anyone seen anything like this? I have attached a small trace. 
> 
>   
> 
> -- 
> 
> Eric Robinson 
> 
>   
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> 
> 
> 
>