My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Outbound SSH Traffic from HP Virtual Connect Blades

Published: 2011-03-07. Last Updated: 2011-03-07 17:48:15 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

We had some readers (kuddos for watching your traffic closely!) report outbound traffic from HP Virtual Connect Blades to 49.48.46.53 on port 22.

No response is received from this IP address, and we guess it is a bug. Interestingly (I think Daniel noted it first), 49, 48, 46, 53 happens to be the ASCII code for 1, 0, . , 5 . So we suspect some buggy code trying to use an IP address starting with "10.5" (in this case, the blade's IP address started with "10.5").

To confirm this guess: If you have an HP Virtual Connect Blade, do you see similar traffic? Is it directed at a different IP address? Does the ASCII rule still apply for you?

This workaround helped some users affected by this problem:

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02720395&lang=en&cc=us&taskId=101&prodSeriesId=3794423&prodTypeId=3709945

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: HP ssh
2 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments

HP has identified a DNS related issue with HP Virtual Connect that does not impact data traffic but does impair the manageability of Virtual Connect devices. HP is acting promptly to help customers remove this issue in the short term with an interim resolution. Customer Advisory Document ID: c02720395, March 7, 2011 is available at the url below to address this issue. customers are encouraged to contact their local HP Support (http://welcome.hp.com/country/us/en/support.html)
if there are any questions or need for assistance. The interim resolution has proven success in removing the issue. A permanent firmware fix will be available in the near term. HP is committed to minimizing any impact on customer environments and to completely removing the issue as quickly as possible.

Download Customer Advisory Document ID: c02720395, March 7, 2011 at the following address:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02720395&lang=en&cc=us&taskId=101&prodSeriesId=3540808&prodTypeId=329290
i've seen destination 49.48.46.50, tcp/22.

Diary Archives