Port 5000 Traffic Continues; Fragmented tcp/16191 Update

Published: 2004-05-18
Last Updated: 2004-05-19 01:10:58 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
Port 5000 Traffic Continues. As reported in yesterday's diary, two worms (Bobax and Kibuv.B) are responsible for the increase in tcp/5000 traffic. Microsoft Windows systems that are currently patched are not vulnerable to either worm.

Fragmented tcp/16191 Update Additional information on the report of fragmented IP traffic towards port 16191 in the May 14 diary ( http://isc.sans.org/diary.php?date=2004-05-14 ) arrived in the mailbag today. James tells us,

"I have seen this before inside my network, and recently am seeing it again, including a couple of hits from outside now. Using Cisco v2 IDS sensors on my internal network I always see these as a set of 3 signatures:

1203 - IP fragment overwrite - Data is overwritten

1204 - IP fragment missing initial fragment

1208 - IP fragment incomplete dgram

The Cisco IDS usually indicates whether a port is a TCP or UDP port, but in this case the protocol field of the alert simply says IP."

Handler Ed Skodis explains, "That's likely because the higher-layer protocol (TCP or UDP) header is typically included in the first fragment, including the port number itself. Therefore, because you are getting:

1204 - IP fragment missing initial fragment

You aren't seeing the TCP/UDP stuff, so the IDS labels it merely as IP."

Additional details from Cisco on packet fragmentation is online at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids4/11657_02.htm#xtocid11

Marcus H. Sachs

Handler on Duty

0 comment(s)


Diary Archives