(PM) Weird ptrace output

Rick Davidson (rick@buckeyeweb.com)
Wed, 8 Jul 1998 09:52:23 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Rick Smith: "Re: (PM) SECURITY PROBLEM."
Previous message: Jake Messinger: "Re: (PM) Upgrading OS"

Fellow PortMaster Ho's,
Can someone clue me in on what this ptrace output is telling me. I was
looking into a connection that has been up for a long time with no idle
time. The source addresses do not jive with the IP I was tracing, my guess
is that this person may be hosting a chat of some sort (icq?)... am I right
or do I need to crack some skulls?

This is the filter I used, note the IP address is: 205.183.16.110
PM3-1> sh filter cap
1 deny 0.0.0.0/0 0.0.0.0/0 tcp src eq 23
2 deny 0.0.0.0/0 0.0.0.0/0 tcp dst eq 23
3 permit 205.183.16.110/32 0.0.0.0/0 ip

Here is some of what it outputed:

TCP from 205.183.16.96.1065 to 199.245.125.4.80 seq D6F15, ack 0xFF9E4370,
win 8760, ACK
TCP from 205.183.16.98.1461 to 209.150.130.146.80 seq 85D9F5, ack
0x6ED45C25, win 8110, PUSH ACK , 290 bytes
TCP from 205.183.16.96.1065 to 199.245.125.4.80 seq D6F15, ack 0xFF9E4371,
win 8760, ACK
TCP from 205.183.16.96.1066 to 199.245.125.4.80 seq DA239, ack 0x0, win
8192, SYN
TCP from 205.183.16.96.1065 to 199.245.125.4.80 seq D6F15, ack 0xFF9E06AD,
win 0, RST
UDP from 205.183.16.111.6112 to 202.82.45.20.6112
TCP from 205.183.16.98.1460 to 209.150.130.146.80 seq 85D491, ack
0x227C8892, win 8576, ACK
TCP from 205.183.16.103.1043 to 208.255.248.124.1027 seq 2BD7D, ack
0x3F6AEC, win 8760, PUSH ACK , 95 bytes
TCP from 205.183.16.104.1099 to 205.231.82.32.80 seq 179186, ack
0x44117A85, win 2144, ACK
UDP from 205.183.16.111.6112 to 202.82.45.20.6112
UDP from 205.183.16.111.6112 to 202.82.45.20.6112
TCP from 205.183.16.104.1098 to 205.231.82.32.80 seq 178A04, ack
0x4409B27D, win 1564, ACK
TCP from 205.183.16.98.1460 to 209.150.130.146.80 seq 85D491, ack
0x227C8AAA, win 8576, ACK
UDP from 205.183.16.111.6112 to 202.82.45.20.6112
TCP from 205.183.16.98.1460 to 209.150.130.146.80 seq 85D491, ack
0x227C8CC2, win 8576, ACK
TCP from 205.183.16.103.1043 to 208.255.248.124.1027 seq 2BDDC, ack
0x3F6AEE, win 8758, ACK
UDP from 205.183.16.111.6112 to 202.82.45.20.6112

There are 5 other addresses from my dial-up pool showing here, what gives?
This is the first time I have seen anything like this. Any ideas, comments
or insults appreciated.

Paranoid and Caffeinated in Cleveland,
Rick Davidson
Network Administrator
Buckeye Internet Services, Ltd. http://www.buckeyeweb.com
ip route complaints 0.0.0.0 Null0
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>

Next message: Rick Smith: "Re: (PM) SECURITY PROBLEM."
Previous message: Jake Messinger: "Re: (PM) Upgrading OS"