Hosting Provided By

RE: strange logs -- tcp port 16166

From: James C. Slora, Jr. <Jim.Slora(at)phra.com>
Date: Wed Jun 25 2003 - 12:20:12 EDT

Both sets of logs (Jerry Shenk and Jiang Peng) look very similar to the traffic everyone else has been analyzing for the past month+. Try to get some full packet captures, and see if the TCP window size is 55808. If so, there are multiple threads about this traffic on most security lists. The traffic is not fully explained at this point, but some of it may be related to "Typot" listed at antivirus vendor sites.

The target port for the odd TCP win 55808 traffic varies from target to target and source addresses are generally spoofed, so your port numbers and source addresses might not be the key to solving your puzzle.

Full packet captures are the only way to tell whether or not your traffic is related to the 55808 stuff.

> -----Original Message-----

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com

Received on Wed Jun 25 16:39:47 2003

This message: [ Message body ]
Next message: Jerry Shenk: "RE: strange logs -- tcp port 16166"
Previous message: Cotter, Joe: "RE: War Dial on my PBX"
Maybe in reply to: Jiang Peng: "strange logs -- tcp port 16166"
In reply to Jerry Shenk: "RE: Stopping information leakage"
Next in thread: Jerry Shenk: "RE: strange logs -- tcp port 16166"
Reply: Jerry Shenk: "RE: strange logs -- tcp port 16166"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:09 EDT