Security Basics mailing list archives
RE: Strange pings from 127.0.0.1
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 24 Jun 2004 12:37:19 -0700
I believe some Cisco gear has used DEC chipsets. Check the MAC addresses of your router -- if it's a match, then you know this traffic is coming from outside. David Gillett
-----Original Message----- From: Tim Schwimer [mailto:tschwimer () hotmail com] Sent: Thursday, June 24, 2004 9:24 AM To: security-basics () securityfocus com Subject: Re: Strange pings from 127.0.0.1 In-Reply-To: <20040618220642.GA17943 () ranjeet-pc2 zultys com> Thanks for the suggestions. I'll look into seeing if I can't trace down the infected device by assuming any target host is not the source. As for the MAC, it just doesn't make any sense to me. I know that they are DEC addresses, and that we do not have any devices with DEC NIC's. Nor do they show up in the CAM table on the switch. In addition, port security is turned on for every active port on the switch. One would think that a packet with an invlaid source MAC seen by the switch would cause a port violation and shut the port down. One of the problems I'm having is the code on the switch is very old. I've been trying to get it updated but am limited being that it's a 24x7 production environment (that and the fact that no one else seems to care about the issue!!!). So I am not convinced that the issue is not being exacerbated by some anomolous behavior of the switch. Strange part about it though is that while I see the traffic on multiple segments, I do not see it on every port in those segments. In addition, while I see it both tx and rx on all of my FW ports, tcpdump on the FW indicates that it is not seeing any of the traffic at all. Likewise, rules on the FW to block all of the traffic do not get any hits at all. Keep the thoughts coming guys. I appreciate it. -tReceived: (qmail 13316 invoked from network); 22 Jun 200415:45:39 -0000Received: from outgoing.securityfocus.com (HELOoutgoing3.securityfocus.com) (205.206.231.27)by mail.securityfocus.com with SMTP; 22 Jun 2004 15:45:39 -0000 Received: from lists.securityfocus.com(lists.securityfocus.com [205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQP id 2014A237F39; Tue, 22 Jun 2004 03:00:50 -0600 (MDT) Mailing-List: contactsecurity-basics-help () securityfocus com; run by ezmlmPrecedence: bulk List-Id: <security-basics.list-id.securityfocus.com> List-Post: <mailto:security-basics () securityfocus com> List-Help: <mailto:security-basics-help () securityfocus com> List-Unsubscribe:<mailto:security-basics-unsubscribe () securityfocus com>List-Subscribe: <mailto:security-basics-subscribe () securityfocus com> Delivered-To: mailing list security-basics () securityfocus com Delivered-To: moderator for security-basics () securityfocus com Received: (qmail 1849 invoked from network); 19 Jun 200400:21:45 -0000Date: Fri, 18 Jun 2004 15:06:42 -0700 From: Ranjeet Shetye <ranjeet.shetye2 () zultys com> To: security-basics () securityfocus com Subject: Re: Strange pings from 127.0.0.1 Message-ID: <20040618220642.GA17943 () ranjeet-pc2 zultys com> Mail-Followup-To: security-basics () securityfocus com References: <BAY8-F267zD5J47Oksz00087f7d () hotmail com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <BAY8-F267zD5J47Oksz00087f7d () hotmail com> User-Agent: Mutt/1.5.6i consider a packet of the type Eth_DST=Eth_A Eth_SRC=Eth_B Eth_Type=IP IP_Src=127.0.0.1 IP_Dst=IP_D On Linux - packets from localhost to a local IP dont make it onto the network. Assuming the same to be the case on Windows, anytarget hosts(IP_D) that you see ICMPs for, are probably NOT the originof THIS packet.This might help you narrow the possible sources of the traffic. Next, (assuming non-promiscuous mode of operation by theNIC) I fail tounderstand how the author of this attack intends to reachhis/her targets,if the dest MAC addresses are fake! I might be missingsomething obvious,so if someone can point it out to me, that would be great. thanks. Instead of an attack, it might be that you have someone onyour networkwho is learning socket or libnet programming, and is testing his/her networking coding skills on the corporate network. That might explain the non-existant destination MAC addresses - which I admitagain, don'tmake a lot of sense to me. **Unless**, some kind of an ARP-poisoning scheme is being executed, so that switches are forced to forward all traffic on allports cos theirinternal arp tables are messed up. In which case, maybe you need to lock down the arp tables inyour managedswitches, if you can. I am very curious about this traffic pattern, please let us know the answer once you've resolved it. thanks, -- Ranjeet Shetye Senior Software Engineer Zultys Technologies Ranjeet dot Shetye at Zultys dot com http://www.zultys.com/ The views, opinions, and judgements expressed in thismessage are solely those ofthe author. The message contents have not been reviewed orapproved by Zultys.* Timothy Schwimer (tschwimer () hotmail com) wrote:Not yet. Doesn't sound like you're having the same issuethough. Mine isall ICMP traffic, all sourced from the loopback, butdestined to severaldifferent host IP's. In addition, the source and dest MACare always thesame regardless of the IP's. I'm fairly certain that I've got a compromised host, butwith the source IPbeing a loopback, I've got no way of deducing which host.From: Murad Talukdar <talukdar_m () subway com> To: Tim Schwimer <tschwimer () hotmail com>,security-basics () securityfocus comSubject: Re: Strange pings from 127.0.0.1 Date: Fri, 18 Jun 2004 09:43:07 +1000 I've been getting this on my router logs saying that thetcp got dropped.Source:127.0.0.1, 80, WAN - Destination:210.80.144.150,1912, LAN -'Suspicious TCP Data' Did you work out what it was with the pings? Not sure ifit's similar ornot. Murad Talukdar ----- Original Message ----- From: "Tim Schwimer" <tschwimer () hotmail com> To: <security-basics () securityfocus com> Sent: Sunday, June 13, 2004 5:24 PM Subject: Re: Strange pings from 127.0.0.1In-Reply-To:<GAEPLEDFDDGJLBGAABCNKENBCMAA.gg () stober mailsnare net>I started seeing the same thing on my DMZ segments thisFriday afternoonat about 4:00pm (figures, huh??). Anyway, I was wonderingwhat you foundout about this. Any insight would be appreciated.Thanks, TReceived: (qmail 20239 invoked from network); 14 May2004 15:58:54-0000Received: from outgoing.securityfocus.com (HELOoutgoing2.securityfocus.com) (205.206.231.26)by mail.securityfocus.com with SMTP; 14 May 200415:58:54 -0000Received: from lists.securityfocus.com (lists.securityfocus.com[205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQP id 4018A1437B0; Fri, 14 May 2004 17:53:53 -0600 (MDT) Mailing-List: contactsecurity-basics-help () securityfocus com; run byezmlmPrecedence: bulk List-Id: <security-basics.list-id.securityfocus.com> List-Post: <mailto:security-basics () securityfocus com> List-Help: <mailto:security-basics-help () securityfocus com> List-Unsubscribe:<mailto:security-basics-unsubscribe () securityfocus com>List-Subscribe:<mailto:security-basics-subscribe () securityfocus com>Delivered-To: mailing list security-basics () securityfocus com Delivered-To: moderator for security-basics () securityfocus com Received: (qmail 13781 invoked from network); 13 May2004 21:45:06-0000From: "Marc" <gg () stober mailsnare net> To: <security-basics () securityfocus com> Subject: Strange pings from 127.0.0.1 Date: Thu, 13 May 2004 23:55:35 -0400 Message-ID:<GAEPLEDFDDGJLBGAABCNKENBCMAA.gg () stober mailsnare net>MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Importance: Normal The networked applications I am responsbile for havebeen performingslowly.When I tried to run Ethereal on my computer, I foundsome odd ICMP echorequest (ping) packets with a source IP of 127.0.01,to addresses bothwithin our 192.168.1.* network as well as to randomInternet addresses.Thesource and destination Mac addresses aren't anything Ican associatewith acomputer on our network (and they're not the real Macaddress of mycomputer), so I think maybe these packets are spoofed?Could this besomesort of virus or DOS attack somewhere within ournetwork? I've haven'tseenanything quite like this mentioned online anywhere. Thanks, Marc---------------------------------------------------------------------------Ethical Hacking at the InfoSec Institute. Mention thisad and get $545offany course! All of our class sizes are guaranteed tobe 10 students orlessto facilitate one-on-one interaction with one of our expertinstructors.Attend a course taught by an expert instructor with years ofin-the-fieldpen testing experience in our state of the art hackinglab. Master theskillsof an Ethical Hacker to better assess the security of yourorganization.Visit us at:http://www.infosecinstitute.com/courses/ethical_hacking_training.html-------------------------------------------------------------------------------------------------------------------------------------------------------Ethical Hacking at the InfoSec Institute. Mention thisad and get $545offany course! All of our class sizes are guaranteed to be10 students orlessto facilitate one-on-one interaction with one of ourexpert instructors.Attend a course taught by an expert instructor with years ofin-the-fieldpen testing experience in our state of the art hackinglab. Master theskillsof an Ethical Hacker to better assess the security ofyour organization.Visit us at:http://www.infosecinstitute.com/courses/ethical_hacking_training.html----------------------------------------------------------------------------_________________________________________________________________ Watch the online reality show Mixed Messages with a friendand enter to wina trip to NYhttp://www.msnmessenger-download.click-url.com/go/onm00200497a
ve/direct/01/
-------------------------------------------------------------------------
--
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off
any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------
---
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instruct
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: Strange pings from 127.0.0.1, (continued)
- RE: Strange pings from 127.0.0.1 David Gillett (Jun 24)
- Strange pings from 127.0.0.1 Andrew Aris (Jun 22)
- Re: Strange pings from 127.0.0.1 Alan Hicks (Jun 23)
- Re: Strange pings from 127.0.0.1 Kelly John Rose (Jun 23)
- RE: Strange pings from 127.0.0.1 David Gillett (Jun 24)
- RE: Strange pings from 127.0.0.1 Andrew Aris (Jun 24)
- Re: Strange pings from 127.0.0.1 Kelly John Rose (Jun 25)
- Re: Strange pings from 127.0.0.1 SecurityFocus Lists (Jun 24)
- Re: Strange pings from 127.0.0.1 Kelly John Rose (Jun 25)
- RE: Strange pings from 127.0.0.1 David Gillett (Jun 25)
- Re: Strange pings from 127.0.0.1 Ranjeet Shetye (Jun 26)