Hi there folks, sorry if you're on the securityfocus incidents list and have received another version of this but as this has protocol info I thought I might ask here.
Background: Friday 9th I noticed my laptop running slowly and unstable. I assumed that applying SP3 had broken it so I reinstalled.
Tue 13th I noticed logs in the firewall of my desktop which showed a prolonged scan of ports 50000-50099 on my desktop machine. The scan had originated from the ip of my laptop.
After a bit of thinking, I remember my desktop firewall complaining about some other packets at the time. IIRC there were packets from my laptop set at ip protocol 60 hitting my desktop. I also remember some packets set at ip protocol 0 coming from external ip addresses (not of our network). I was busy with work at the time so I blocked the packets and subsequently forgot about them.
Due to my wiping the laptop before noticing the firewall logs I was unable to figure out what had happened. The thing is, now I'm starting to see some activity I'm not expecting again.
Prior to last week I was running Win2K on it with SP2 (upgraded to SP3 around the same time).
When I reinstalled I put WinXP on.
The laptop has been running Kerio as a firewall with as many services as possible turned off.
Today my firewall has picked up another packet from my laptop that was ip protocol 60 (not port 60 but protocol 60). After spotting this I loaded up ethereal and started capturing.
aa.bb.cc.dd = laptop ip
dd.cc.bb.aa = desktop ip
I'm not familiar with all the protocols involved, so if my searches are correct Q.931 is an ISDN control protocol. This is odd because this is coming over a lan and neither machines have any ISDN hardware or software.
Secondly there is the IP packets with a header length of 0. I'm not sure if these are related but the reason I include them is because the source MAC addresses are only a slight variation on that of my laptop. That is my laptop starts 00:50 whilst these packets start 45:00. The rest is the same.
All these packets were captured using the host aa.bb.cc.dd (where aa.bb.cc.dd eq laptop ip) filter (details in attachment).
If anyone can advise me on the purpose of these packets I would appreciate it as to the best of my knowledge they have no valid purpose.
print-mod (29.8 KB)