Date: Wed, 20 Nov 2002 16:39:43 +0200 From: Peter Pentchev <roam@ringlet.net> To: freebsd-security@FreeBSD.org Subject: [OT] Windows applications generating ISA-KMP packets? Message-ID: <20021120143943.GM388@straylight.oblivion.bg>
next in thread | raw e-mail | index | archive | help
--IuJpT0rwbUevm2bB Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, Apologies for the somewhat off-topic post; I am also sending this to a couple of other security-related lists, where it will be more relevant, but any replies would be welcome.. Today, a company I do some work for received an e-mail inquiry regarding strange packets sent to an address unknown to us. The packets in question were UDP packets with 500 as both source and destination port. The source address - ours - is not running anything related to IPsec, ISA-KMP or the like. It is, however, a NAT gateway for a large internal network. A quick tcpdump run showed that many hosts on that internal network try to send UDP packets from 500 to 500 to many external hosts, including hosts in the cluster*.icq.com, www.google.com, ns1.google.com, pt*.t-dialin.net, adsl*.pacbell.net, and many others. Is anybody aware of any reason for a Windows workstation (those are all Windows workstations) to send an ISA-KMP packet to external hosts? Which application should we look for? The machines in question are all running recent versions of ICQ clients (the offficial icq.com ones), various versions Microsoft Internet Explorer, and, among others, the Google Toolbar as a plug-in. Does any of these ring a bell? I can see no real reason why any of those would send ISA-KMP packets to anyone for any reason at all, but I can see the packets, and apparently others have seen them, too. On the other hand, could this be some sort of a trojan? Unfortunately, I am not currently, and will not be in the foreseeable future, at that location, so the further research which I would like to do will be somewhat delayed. Still, any information about Windows applications sending UDP packets from and to port 500 would be highly appreciated. Thanks in advance for any replies! G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 What would this sentence be like if pi were 3? --IuJpT0rwbUevm2bB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE9256v7Ri2jRYZRVMRAlSBAKC2EDnOUfkpTbPSlx1TSPHbS/bbPgCeLu2A upgXEXwB09rJheScNEphqU8= =3DVc -----END PGP SIGNATURE----- --IuJpT0rwbUevm2bB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021120143943.GM388>