[unisog] private IP's and tcp 42999

Fred Portnoy fportnoy at mail.plymouth.edu
Mon May 10 15:40:44 GMT 2004


I've confirmed with the Sniffer on the home LAN of "localhostaddress" that
the destination mac address of the first packet is that of
"localhostaddress" and it's also the source mac address of the second
packet.

-fp

-----Original Message-----
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of Russell Fulton
Sent: Saturday, May 08, 2004 8:21 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] private IP's and tcp 42999


On Sun, 2004-05-09 at 01:47, Fred Portnoy wrote:
> I'm still working on details here but has anyone seen a sequence like 
> this which I have captured from the inside interface our firewall; the 
> first packet is allowed through the firewall inbound, the second with 
> a foreign source address and a disallowed destination address will be 
> stopped outbound when it reaches the firewall;

Ummm... do you have information about the direction of the packets (incoming
or outgoing)?  I don't see how both of these packets can be going in the
same direction so I assume that the first is incoming and the second is
outgoing.  If this is the case I can't imagine what its 
purpose is.

the short answer to your first question is "No" ;) but it certainly is
intriguing, it looks as if the packet has been redirected to 192.168.0.2. 

>  is "localhostaddress.edu" infected with
> something known?

or possibly misconfigured or just buggy? 

-- 
Russell Fulton                                    /~\  The ASCII
Network Security Officer                          \ /  Ribbon Campaign
The University of Auckland                         X   Against HTML
New Zealand                                       / \  Email!


_______________________________________________
unisog mailing list
unisog at lists.sans.org http://www.dshield.org/mailman/listinfo/unisog




More information about the unisog mailing list