[unisog] private IP's and tcp 42999
fportnoy at mail.plymouth.edu
Mon May 10 15:40:44 GMT 2004
I've confirmed with the Sniffer on the home LAN of "localhostaddress" that
the destination mac address of the first packet is that of
"localhostaddress" and it's also the source mac address of the second
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of Russell Fulton
Sent: Saturday, May 08, 2004 8:21 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] private IP's and tcp 42999
On Sun, 2004-05-09 at 01:47, Fred Portnoy wrote:
> I'm still working on details here but has anyone seen a sequence like
> this which I have captured from the inside interface our firewall; the
> first packet is allowed through the firewall inbound, the second with
> a foreign source address and a disallowed destination address will be
> stopped outbound when it reaches the firewall;
Ummm... do you have information about the direction of the packets (incoming
or outgoing)? I don't see how both of these packets can be going in the
same direction so I assume that the first is incoming and the second is
outgoing. If this is the case I can't imagine what its
the short answer to your first question is "No" ;) but it certainly is
intriguing, it looks as if the packet has been redirected to 192.168.0.2.
> is "localhostaddress.edu" infected with
> something known?
or possibly misconfigured or just buggy?
Russell Fulton /~\ The ASCII
Network Security Officer \ / Ribbon Campaign
The University of Auckland X Against HTML
New Zealand / \ Email!
unisog mailing list
unisog at lists.sans.org http://www.dshield.org/mailman/listinfo/unisog
More information about the unisog