Ecwid Ecommerce Shopping Cart WordPress Plugin unauthenticated PHP Object injection vulnerability
 
[SYSS-2016-063] VMware ESXi 6 - Improper Input Validation (CWE-20)
 
[SYSS-2016-063] VMware ESXi 6 - Improper Input Validation (CWE-20)
 
DLL side loading vulnerability in VMware Host Guest Client Redirector
 
RETIRED: cURL/libcURL CVE-2016-5419 Information Disclosure Vulnerability
 
IBM Security AppScan CVE-2016-0288 XML External Entity Information Disclosure Vulnerability
 
Sophos Mobile Control EAS Proxy Open Reverse Proxy vulnerability (CVE-2016-6597)
 
Sophos Mobile Control EAS Proxy Open Reverse Proxy vulnerability (CVE-2016-6597)
 
[SYSS-2016-063] VMware ESXi 6 - Improper Input Validation (CWE-20)
 
FortiCloud - (Reports Summary) Multiple Persistent Vulnerabilities
 
Typesettercms v5.0.1 - (Delete Files) CSRF Vulnerability
 
[0day] net2ftp multiple XSS on unauthenticated users
 
Linux Kernel CVE-2016-4482 Local Information Disclosure Vulnerability
 
Linux Kernel CVE-2014-9904 Incomplete Fix Local Integer Overflow Vulnerability
 
Linux Kernel 'iov_iter_init()' Function Security Bypass Vulnerability
 
Linux Kernel CVE-2016-3672 ASLR Implementation Local Security Weakness
 

Out reader submitted to us severalodd packets. Of course, I cant resist to figure out what is exactly going on here: The packets appearto include a lengthy pre-ample, but I have no idea what would cause this. After the pre-ample, we got what looksl ike a normal Link-Local MulticastName ResolutionPacket."> 0x0000: 0000 2900 0033 0000 3700 0000 0000 0000 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 0x0020: 0000 0000 0000 0000 0000 0000 0000 0000 0x0030: 0000 0100 5e00 00fc 6451 06a1 43c6 8100 0x0040: 00a7 0800 4500 0033 355a 0000 0111 599b 0x0050: XXXX XXXX e000 00fc c59d 14eb 001f 0c38 0x0060: 8669 0000 0001 0000 0000 0000 0555 3231">0100 5e00 00fc 6451 06a1 43c6 8100 0x0040: 00a7 0800

0100 5e00 00fc : Destination MAC for multicast address used
6451 06a1 43c6: Source MAC. The OUI is a assigned to HP
8100 00a7 : VLAN tag
0800 : ethernet type for IPv4

IPv4 Header

    0x0040:  .... .... 4500 0033 355a 0000 0111 599b    0x0050:  XXXX XXXX e000 00fc IPv4, normal header length (20 bytes), TOS=0Total Datagram Length: 0x33 (51)IP ID: 0x355a, no fragmentation flags, no offsetTTL: 1Protocol: 0x11 (UDP, 17)IP checksum: 0x599bSource IP: [obfuscated, since it was a public routable IP]Destiation IP: 224.0.0.252  - LLMNR Multicast Name Resolution, RFC4795UDP Header   0x0050:  .... .... .... .... c59d 14eb 001f 0c38Source Port: 50589Dest. Port:  5355 (normal port for LLMNR)UDP Length:  31 bytesUDP Checksum: 0x0c38mDNS Payload    0x0060:  8669 0000 0001 0000 0000 0000 0555 3231    0x0070:  3038 0000 ff00 01

Query ID: 0x8669
Flags: 0x0000 (this is a query)
Queries: 1, Answers: 0, Name Servers: 0, Additional records: 0

Query: 05 55 32 31 30 38 00 - U2108
Type: 00 ff - ANY

Please comment or use our contact form to let us know if you have seen traffic like this.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status