Ok, who's having a laugh? 127.0.0.1 tried to hack me!

Discussion in 'Computer Security' started by Dave Korn, Sep 8, 2003.

  1. Dave Korn

    Dave Korn Guest

    I just received a couple of very strange packets. Came in over the wire
    from my ISP's UBR with the correct MAC addresses, it's definitely a spoofed
    packet; TTL suggests it most likely came from 9 hops away, which is probably
    still within my ISP's borders.

    Anyone else seen anything like this recently ?

    Frame 31 (60 on wire, 60 captured)
    Ethernet II
    Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: 80.1.204.18
    (80.1.204.18)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 40
    Identification: 0x8c7b
    Flags: 0x00
    Fragment offset: 0
    Time to live: 119
    Protocol: TCP (0x06)
    Header checksum: 0x1c40 (correct)
    Source: 127.0.0.1 (127.0.0.1)
    Destination: 80.1.204.18 (80.1.204.18)
    Transmission Control Protocol, Src Port: 80 (80), Dst Port: 1380 (1380),
    Seq: 0, Ack: 938672129
    Source port: 80 (80)
    Destination port: 1380 (1380)
    Sequence number: 0
    Acknowledgement number: 938672129
    Header length: 20 bytes
    Flags: 0x0014 (RST, ACK)
    Window size: 0
    Checksum: 0xd713 (correct)

    0000 ** ** ** ** ** ** ** ** ** ** ** ** 08 00 45 00 ..............E.
    0010 00 28 8c 7b 00 00 77 06 1c 40 7f 00 00 01 50 01 .(.{..w..@....P.
    0020 cc 12 00 50 05 64 00 00 00 00 37 f3 00 01 50 14 ...P.d....7...P.
    0030 00 00 d7 13 00 00 00 00 00 00 00 00 ............

    Frame 32 (60 on wire, 60 captured)
    Ethernet II
    Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: 80.1.204.18
    (80.1.204.18)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 40
    Identification: 0x8fe9
    Flags: 0x00
    Fragment offset: 0
    Time to live: 119
    Protocol: TCP (0x06)
    Header checksum: 0x18d2 (correct)
    Source: 127.0.0.1 (127.0.0.1)
    Destination: 80.1.204.18 (80.1.204.18)
    Transmission Control Protocol, Src Port: 80 (80), Dst Port: 1876 (1876),
    Seq: 0, Ack: 2001993729
    Source port: 80 (80)
    Destination port: 1876 (1876)
    Sequence number: 0
    Acknowledgement number: 2001993729
    Header length: 20 bytes
    Flags: 0x0014 (RST, ACK)
    Window size: 0
    Checksum: 0x95c2 (correct)

    0000 ** ** ** ** ** ** ** ** ** ** ** ** 08 00 45 00 ..............E.
    0010 00 28 8f e9 00 00 77 06 18 d2 7f 00 00 01 50 01 .(....w.......P.
    0020 cc 12 00 50 07 54 00 00 00 00 77 54 00 01 50 14 ...P.T....wT..P.
    0030 00 00 95 c2 00 00 00 00 00 00 00 00 ............


    DaveK
    --
    moderator of
    alt.talk.rec.soc.biz.news.comp.humanities.meow.misc.moderated.meow
    Burn your ID card! http://www.optional-identity.org.uk/
    Help support the campaign, copy this into your .sig!
    Proud Member of the Exclusive "I have been plonked by Davee because he
    thinks I'm interesting" List Member #<insert number here>
    Master of Many Meowing Minions
    Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above
    and beyond the call of hilarity.
    PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E 6484 C441 CEC7 D2BD
     
    Dave Korn, Sep 8, 2003
    #1
    1. Advertisements

  2. 127.0.0.1

    DOH!

    --
     
    Leisure Suit Lamey, Sep 8, 2003
    #2
    1. Advertisements

  3. probably a spoofed ip scan or older internal hack virus
     
    Metal Cyber Man, Sep 8, 2003
    #3
  4. Dave Korn

    Eddie Guest


    Just a WAG, but did your ISP loopback windowsupdate.com during the blaster
    scare? Several people are reporting this over the past few days.

    Eddie
     
    Eddie, Sep 8, 2003
    #4
  5. Dave Korn

    sponge Guest

    It looks like a weak attempt at a DoS. AFAIK, it only works against
    FreeBSD. BTW, TTL says 119 hops. The high TTL is suspcious, but it's a
    ReSeT packet, so I don't see it as being particularly threatening, nor
    is it routable. The only RST-oriented attack I know of are spoofs that
    serve as DoS for connections in progress. These are usually very
    minor, and since this one purports to be from 127.0.0.1 it's a
    non-issue. Probably just somebody wanting to pretend to be a hacker.

    Sponge
    Sponge's Anti-Spyware Source
    www.geocities.com/yosponge
     
    sponge, Sep 9, 2003
    #5
  6. You should block all private IPs at your border router.

    Steven BerkHolz
     
    BerkHolz, Steven, Sep 9, 2003
    #6
  7. Dave Korn

    Bruce Porter Guest

    Look who's hacking off :)
     
    Bruce Porter, Sep 10, 2003
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.