Getting unsolicited TCP packets from Optimum machine.


I was running tcpdump working on a machine, and noticed I started getting unsolicited traffic from (Optimum I believe), to my port 4444. It now happens immediately each time I connect to the VPN. I was confused at first, thinking this was part of the box I was doing (dynstr), but the port 4444 raised alarm bells, we all know what we use that for a lot of times. I’m wondering if anyone has any insights?

Now there’s every chance I’m being stupid here, but I don’t believe anything I’ve done has caused this. I did Optimum a long time ago, and haven’t noticed any traffic from it before( I have run tcpdump recently in exactly the same manner and nothing odd). I figured better to be safe and see if someone at htb might have a suggestion. I’m doing this here because the tech support isn’t open until tomorrow. I captured some of the traffic on wireshark.

perhaps someone simply fat-fingered their IP when setting up a revshell…

I’ve fat fingered reverse shell IPs before lol!

It stopped happening the next day, by which time my IP had changed. > @gunn4r said:

I’ve fat fingered reverse shell IPs before lol!

I’ve done that too lol

it could also be from people testing RCE with indefinite pings, and not killing the process, and then being logged off when you log in, getting their IP assigned to you because of dhcp