[ntp:hackers] GPS.FreeBSD.org moves to new IP#

Poul-Henning Kamp phk at phk.freebsd.dk
Fri Aug 22 08:48:51 PDT 2003


More on the SoBig.F, I made a packet trace, and the packets from
the virii are pretty easy to recognize:

15:46:22.866837 67.200.37.52.3681 > 212.242.86.186.123: [udp sum ok]  v4 client strat 0 poll 0 prec 0 dist 0.000000 disp 0.000000 ref (unspec)@0.000000000 orig 0.000000000 rec -0.000000000 xmt -1024411316.000000000 (ttl 114, id 42577, len 76)
15:46:23.052827 65.65.38.194.3458 > 212.242.86.186.123: [udp sum ok]  v4 client strat 0 poll 0 prec 0 dist 0.000000 disp 0.000000 ref (unspec)@0.000000000 orig 0.000000000 rec -0.000000000 xmt -1024411315.000000000 (ttl 107, id 24604, len 76)
15:46:23.066811 69.22.56.170.2608 > 212.242.86.186.123: [udp sum ok]  v4 client strat 0 poll 0 prec 0 dist 0.000000 disp 0.000000 ref (unspec)@0.000000000 orig 0.000000000 rec -0.000000000 xmt -1024411051.000000000 (ttl 109, id 12867, len 76)
15:46:23.170814 198.206.239.254.3969 > 212.242.86.186.123: [udp sum ok]  v4 client strat 0 poll 0 prec 0 dist 0.000000 disp 0.000000 ref (unspec)@0.000000000 orig 0.000000000 rec -0.000000000 xmt -1024411313.000000000 (ttl 111, id 32832, len 76)

Unfortunately I'm not quite sure I know how we can gainfully
use this knowledge...

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.



More information about the hackers mailing list