Hello Tino, The packets you are seeing are from a scan for the latest samba 2.2.8 remote root hole, regarding a packet re-assembly bug (the samba team misused a strncpy() call) this bug was patched with version 2.2.8a. The packet you are seeing is probably generated by one of the exploits that is in the wild that have scanning ability (check packetstorm for example to see those ones). Mainly they are just checking if you do have samba and what version the CKAA it's plain garbage. Regards, Paulo On 01 May 2003 16:30:55 +0200 ctino.schmitt@xxxxxxxxxxx (SchmiTTT) wrote: > > > Hi ! > > Here an outprint of snort: > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 05/01-16:26:42.686237 < l/l len: 0 l/l type: 0x200 0:0:0:0:0:0 > pkt type:0x0 proto: 0x800 len:0x5E > 67.121.92.180:1025 -> 217.230.71.240:137 UDP TTL:111 TOS:0x0 ID:27498 > IpLen:20 DgmLen:78 > Len: 50 > 01 00 00 10 00 01 00 00 00 00 00 00 20 43 4B 41 ............ CKA > 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA > 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 AAAAAAAAAAAAA..! > 00 01 .. > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > > This guy seems to repeat it over and over at my PC. > from all parts of world. I assume he is in South-America or Spain. > > What does CKAAAA... mean ??? What kind of scan is this ??? > > For hint tuvm ! > > Regards > Tino. > > ------------------------------------------------------------------------ > To unsubscribe email security-discuss-request@xxxxxxxxxxxxxxxxx > with "unsubscribe" in the subject of the message. > P. Abrantes ++++++++++++++++++++++++++++++++++++++++ Computer Science Student @ Instituto Superior Tecnico (http://www.ist.utl.pt) This email fortune cookie: We are using Linux daily to UP our productivity - so UP yours! -- Adapted from Pat Paulsen by Joe Sloan ++++++++++++++++++++++++++++++++++++++++ ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message.
