Hosting Provided By

Re: strange cmd.exe access

From: <Valdis.Kletnieks(at)vt.edu>
Date: Fri May 30 2003 - 18:43:44 EDT

On Fri, 30 May 2003 18:13:11 EDT, Jeff Adams <JAdams@NetCentrics.com> said:
>
> > what is strange is that the cmd.exe / root.exe stuff is half way

You know, it *IS* possible for a router to accidentally mangle the destination IP address undetected - the checksum on the IP header isn't foolproof. So suddenly the packet is headed off to some new address with one or two bits different. Instead of heading to 64.119.12.9, it's now heading to 192.119.12.9. Whoops. ;)

Usually, this isn't a problem, because the following will happen:

The erroneous destination box throws an RST packet back because it's never heard of the connection. 1a) The original source deep-sixes the RST because it's from a host it's not talking to.
The original source doesn't get an ACK, and retransmits, and all is fine.

Not saying this *IS* the explanation, and it probably isn't if OTHER people are seeing 'second packets only' symptoms - but I *have* seen this sort of thing in production (fortunately, it was a bad memory card on a router giving us a steady/intermittent stream of bogon packets so we could backtrace).

application/pgp-signature attachment: stored

Received on Mon Jun 2 00:59:46 2003

This message: [ Message body ]
Next message: morning_wood: "Re: A question for the list..."
Previous message: H Carvey: "Re: strange cmd.exe access"
In reply to Jeff Adams: "RE: strange cmd.exe access"
Next in thread: Frank Knobbe: "RE: strange cmd.exe access"
Reply: Frank Knobbe: "RE: strange cmd.exe access"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:06 EDT

Do you need help?