Outbound SSH Traffic from HP Virtual Connect Blades
Last Updated: 2011-03-07 17:48:15 UTC
by Johannes Ullrich (Version: 1)
We had some readers (kuddos for watching your traffic closely!) report outbound traffic from HP Virtual Connect Blades to 184.108.40.206 on port 22.
No response is received from this IP address, and we guess it is a bug. Interestingly (I think Daniel noted it first), 49, 48, 46, 53 happens to be the ASCII code for 1, 0, . , 5 . So we suspect some buggy code trying to use an IP address starting with "10.5" (in this case, the blade's IP address started with "10.5").
To confirm this guess: If you have an HP Virtual Connect Blade, do you see similar traffic? Is it directed at a different IP address? Does the ASCII rule still apply for you?
This workaround helped some users affected by this problem:
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
if there are any questions or need for assistance. The interim resolution has proven success in removing the issue. A permanent firmware fix will be available in the near term. HP is committed to minimizing any impact on customer environments and to completely removing the issue as quickly as possible.
Download Customer Advisory Document ID: c02720395, March 7, 2011 at the following address:
Mar 7th 2011
1 decade ago
Mar 8th 2011
1 decade ago