Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Outbound SSH Traffic from HP Virtual Connect Blades InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Outbound SSH Traffic from HP Virtual Connect Blades

Published: 2011-03-07
Last Updated: 2011-03-07 17:48:15 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

We had some readers (kuddos for watching your traffic closely!) report outbound traffic from HP Virtual Connect Blades to on port 22.

No response is received from this IP address, and we guess it is a bug. Interestingly (I think Daniel noted it first), 49, 48, 46, 53 happens to be the ASCII code for 1, 0, . , 5 . So we suspect some buggy code trying to use an IP address starting with "10.5" (in this case, the blade's IP address started with "10.5").

To confirm this guess: If you have an HP Virtual Connect Blade, do you see similar traffic? Is it directed at a different IP address? Does the ASCII rule still apply for you?

This workaround helped some users affected by this problem:

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: HP ssh
2 comment(s)
Diary Archives