Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Outbound SSH Traffic from HP Virtual Connect Blades - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Outbound SSH Traffic from HP Virtual Connect Blades

We had some readers (kuddos for watching your traffic closely!) report outbound traffic from HP Virtual Connect Blades to 49.48.46.53 on port 22.

No response is received from this IP address, and we guess it is a bug. Interestingly (I think Daniel noted it first), 49, 48, 46, 53 happens to be the ASCII code for 1, 0, . , 5 . So we suspect some buggy code trying to use an IP address starting with "10.5" (in this case, the blade's IP address started with "10.5").

To confirm this guess: If you have an HP Virtual Connect Blade, do you see similar traffic? Is it directed at a different IP address? Does the ASCII rule still apply for you?

This workaround helped some users affected by this problem:

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02720395&lang=en&cc=us&taskId=101&prodSeriesId=3794423&prodTypeId=3709945

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SIEM Summit & Training 2019

Johannes

3631 Posts
ISC Handler
HP has identified a DNS related issue with HP Virtual Connect that does not impact data traffic but does impair the manageability of Virtual Connect devices. HP is acting promptly to help customers remove this issue in the short term with an interim resolution. Customer Advisory Document ID: c02720395, March 7, 2011 is available at the url below to address this issue. customers are encouraged to contact their local HP Support (http://welcome.hp.com/country/us/en/support.html)
if there are any questions or need for assistance. The interim resolution has proven success in removing the issue. A permanent firmware fix will be available in the near term. HP is committed to minimizing any impact on customer environments and to completely removing the issue as quickly as possible.

Download Customer Advisory Document ID: c02720395, March 7, 2011 at the following address:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02720395&lang=en&cc=us&taskId=101&prodSeriesId=3540808&prodTypeId=329290
Anonymous
i've seen destination 49.48.46.50, tcp/22.
Alex

13 Posts

Sign Up for Free or Log In to start participating in the conversation!