|
|
AW: Strange ICMP: msg#00056security.intrusions
Hy Ron, here's a more detail analysis about this "icmp" behaviour of the sasser.d worm. http://www.sophos.com/virusinfo/analyses/w32sasserd.html chris -----Ursprüngliche Nachricht----- Von: intrusions-bounces@xxxxxxxxxxxxxx [mailto:intrusions-bounces@xxxxxxxxxxxxxx] Im Auftrag von Ron Shuck Gesendet: Dienstag, 18. Mai 2004 20:29 An: Intrusions List (GCIA Practicals) Betreff: RE: [Intrusions] Strange ICMP The packets all have 36 bytes of 0x00. The checksums and IDs do not appear visually to be crafted, at least there is no pattern I can see. The TTL values are reasonable based on a traceroute if the initial TTL was 64. This leads me to believe they are not generated by a Windows machine, but more likely a Linux, FreeBSD, or *NIX. Hmmmm! Ron Shuck, CISSP, GCIA, CCSE - Managing Consultant Buchanan Associates - A Technology Company in the People Business -----Original Message----- From: Heather Flanagan [mailto:heather@xxxxxxxx] Sent: Tuesday, May 18, 2004 12:57 PM To: Intrusions List (GCIA Practicals) Subject: Re: [Intrusions] Strange ICMP Is there anything interesting/unusual about the ping packets themselves? -heather f. On May 18, 2004, at 10:48 AM, Ron Shuck wrote: > Hi, > > I am detecting an increased amount of ICMP Ping traffic. The strange > thing is that there are several sources that are hitting us about 1000 > times a week. All of these sources have a last octet of some form of > 36 and 37. > > 63.163.102.36 & 37 > 216.34.77.36 & 37 > 64.209.232.36 & 37 > 61.213.167.236 & 237 > 193.95.144.136 & 137 > > These are from different ISPs and in a couple countries. The > destination is on a Cable Modem that has no inbound access. It's not > causing an issue, it's just anomalous. > > Anyone else seeing this kind of traffic, or have any ideas on the > origin? > > > Ron Shuck, CISSP, GCIA, CCSE - Managing Consultant Buchanan Associates > - A Technology Company in the People Business > _______________________________________________ > Intrusions mailing list > Intrusions@xxxxxxxxxxxxxx > http://www.dshield.org/mailman/listinfo/intrusions _______________________________________________ Intrusions mailing list Intrusions@xxxxxxxxxxxxxx http://www.dshield.org/mailman/listinfo/intrusions _______________________________________________ Intrusions mailing list Intrusions@xxxxxxxxxxxxxx http://www.dshield.org/mailman/listinfo/intrusions _______________________________________________ Intrusions mailing list Intrusions@xxxxxxxxxxxxxx http://www.dshield.org/mailman/listinfo/intrusions |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | RE: Strange ICMP: 00056, Ron Shuck |
|---|---|
| Next by Date: | Traffic SNMP: 00056, Danny Perez |
| Previous by Thread: | AW: Strange ICMPi: 00056, "Seemüller, Christian" |
| Next by Thread: | Traffic SNMP: 00056, Danny Perez |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |