Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Strange pings from 127.0.0.1

From: "Timothy Schwimer" <tschwimer () hotmail com>
Date: Sun, 27 Jun 2004 23:02:16 +0000
right on, but the MACs still dont match.
thx,
t



From: "David Gillett" <gillettdavid () fhda edu>
Reply-To: <gillettdavid () fhda edu>
To: "'Tim Schwimer'" <tschwimer () hotmail com>, <security-basics () securityfocus com> 
Subject: RE: Strange pings from 127.0.0.1
Date: Thu, 24 Jun 2004 12:37:19 -0700

  I believe some Cisco gear has used DEC chipsets.  Check the
MAC addresses of your router -- if it's a match, then you know
this traffic is coming from outside.

David Gillett


> -----Original Message-----
> From: Tim Schwimer [mailto:tschwimer () hotmail com]
> Sent: Thursday, June 24, 2004 9:24 AM
> To: security-basics () securityfocus com
> Subject: Re: Strange pings from 127.0.0.1
>
>
> In-Reply-To: <20040618220642.GA17943 () ranjeet-pc2 zultys com>
>
> Thanks for the suggestions. I'll look into seeing if I can't
> trace down the infected device by assuming any target host is
> not the source.
> As for the MAC, it just doesn't make any sense to me. I know
> that they are DEC addresses, and that we do not have any
> devices with DEC NIC's. Nor do they show up in the CAM table
> on the switch. In addition, port security is turned on for
> every active port on the switch. One would think that a
> packet with an invlaid source MAC seen by the switch would
> cause a port violation and shut the port down.
> One of the problems I'm having is the code on the switch is
> very old. I've been trying to get it updated but am limited
> being that it's a 24x7 production environment (that and the
> fact that no one else seems to care about the issue!!!). So I
> am not convinced that the issue is not being exacerbated by
> some anomolous behavior of the switch. Strange part about it
> though is that while I see the traffic on multiple segments,
> I do not see it on every port in those segments.
> In addition, while I see it both tx and rx on all of my FW
> ports, tcpdump on the FW indicates that it is not seeing any
> of the traffic at all. Likewise, rules on the FW to block all
> of the traffic do not get any hits at all.
> Keep the thoughts coming guys. I appreciate it.
> -t
>
> >Received: (qmail 13316 invoked from network); 22 Jun 2004
> 15:45:39 -0000
> >Received: from outgoing.securityfocus.com (HELO
> outgoing3.securityfocus.com) (205.206.231.27)
> >  by mail.securityfocus.com with SMTP; 22 Jun 2004 15:45:39 -0000
> >Received: from lists.securityfocus.com
> (lists.securityfocus.com [205.206.231.19])
> >       by outgoing3.securityfocus.com (Postfix) with QMQP
> >       id 2014A237F39; Tue, 22 Jun 2004 03:00:50 -0600 (MDT)
> >Mailing-List: contact
> security-basics-help () securityfocus com; run by ezmlm
> >Precedence: bulk
> >List-Id: <security-basics.list-id.securityfocus.com>
> >List-Post: <mailto:security-basics () securityfocus com>
> >List-Help: <mailto:security-basics-help () securityfocus com>
> >List-Unsubscribe:
> <mailto:security-basics-unsubscribe () securityfocus com>
> >List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
> >Delivered-To: mailing list security-basics () securityfocus com
> >Delivered-To: moderator for security-basics () securityfocus com
> >Received: (qmail 1849 invoked from network); 19 Jun 2004
> 00:21:45 -0000
> >Date: Fri, 18 Jun 2004 15:06:42 -0700
> >From: Ranjeet Shetye <ranjeet.shetye2 () zultys com>
> >To: security-basics () securityfocus com
> >Subject: Re: Strange pings from 127.0.0.1
> >Message-ID: <20040618220642.GA17943 () ranjeet-pc2 zultys com>
> >Mail-Followup-To: security-basics () securityfocus com
> >References: <BAY8-F267zD5J47Oksz00087f7d () hotmail com>
> >Mime-Version: 1.0
> >Content-Type: text/plain; charset=us-ascii
> >Content-Disposition: inline
> >In-Reply-To: <BAY8-F267zD5J47Oksz00087f7d () hotmail com>
> >User-Agent: Mutt/1.5.6i
> >
> >
> >consider a packet of the type
> >
> >Eth_DST=Eth_A
> >Eth_SRC=Eth_B
> >Eth_Type=IP
> >IP_Src=127.0.0.1
> >IP_Dst=IP_D
> >
> >On Linux - packets from localhost to a local IP dont make it onto the
> >network. Assuming the same to be the case on Windows, any
> target hosts
> >(IP_D) that you see ICMPs for, are probably NOT the origin
> of THIS packet.
> >This might help you narrow the possible sources of the traffic.
> >
> >Next, (assuming non-promiscuous mode of operation by the
> NIC) I fail to
> >understand how the author of this attack intends to reach
> his/her targets,
> >if the dest MAC addresses are fake! I might be missing
> something obvious,
> >so if someone can point it out to me, that would be great. thanks.
> >
> >Instead of an attack, it might be that you have someone on
> your network
> >who is learning socket or libnet programming, and is testing his/her
> >networking coding skills on the corporate network. That might explain
> >the non-existant destination MAC addresses - which I admit
> again, don't
> >make a lot of sense to me.
> >
> >**Unless**, some kind of an ARP-poisoning scheme is being executed,
> >so that switches are forced to forward all traffic on all
> ports cos their
> >internal arp tables are messed up.
> >
> >In which case, maybe you need to lock down the arp tables in
> your managed
> >switches, if you can.
> >
> >I am very curious about this traffic pattern, please let us know the
> >answer once you've resolved it. thanks,
> >
> >--
> >Ranjeet Shetye
> >Senior Software Engineer
> >Zultys Technologies
> >Ranjeet dot Shetye at Zultys dot com
> >http://www.zultys.com/
> >
> >The views, opinions, and judgements expressed in this
> message are solely those of
> >the author. The message contents have not been reviewed or
> approved by Zultys.
> >
> >* Timothy Schwimer (tschwimer () hotmail com) wrote:
> >> Not yet. Doesn't sound like you're having the same issue
> though. Mine is
> >> all ICMP traffic, all sourced from the loopback, but
> destined to several
> >> different host IP's.  In addition, the source and dest MAC
> are always the
> >> same regardless of the IP's.
> >> I'm fairly certain that I've got a compromised host, but
> with the source IP
> >> being a loopback, I've got no way of deducing which host.
> >>
> >>
> >> >From: Murad Talukdar <talukdar_m () subway com>
> >> >To: Tim Schwimer <tschwimer () hotmail com>,
> security-basics () securityfocus com
> >> >Subject: Re: Strange pings from 127.0.0.1
> >> >Date: Fri, 18 Jun 2004 09:43:07 +1000
> >> >
> >> >I've been getting this on my router logs saying that the
> tcp got dropped.
> >> > Source:127.0.0.1, 80, WAN - Destination:210.80.144.150,
> 1912, LAN -
> >> >'Suspicious TCP Data'
> >> >
> >> >Did you work out what it was with the pings? Not sure if
> it's similar or
> >> >not.
> >> >
> >> >Murad Talukdar
> >> >
> >> >
> >> >----- Original Message -----
> >> >From: "Tim Schwimer" <tschwimer () hotmail com>
> >> >To: <security-basics () securityfocus com>
> >> >Sent: Sunday, June 13, 2004 5:24 PM
> >> >Subject: Re: Strange pings from 127.0.0.1
> >> >
> >> >
> >> >> In-Reply-To:
> <GAEPLEDFDDGJLBGAABCNKENBCMAA.gg () stober mailsnare net>
> >> >>
> >> >> I started seeing the same thing on my DMZ segments this
> Friday afternoon
> >> >at about 4:00pm (figures, huh??). Anyway, I was wondering
> what you found
> >> >out
> >> >about this. Any insight would be appreciated.
> >> >> Thanks,
> >> >> T
> >> >> >Received: (qmail 20239 invoked from network); 14 May
> 2004 15:58:54
> >> >-0000
> >> >> >Received: from outgoing.securityfocus.com (HELO
> >> >outgoing2.securityfocus.com) (205.206.231.26)
> >> >> >  by mail.securityfocus.com with SMTP; 14 May 2004
> 15:58:54 -0000
> >> >> >Received: from lists.securityfocus.com (lists.securityfocus.com
> >> >[205.206.231.19])
> >> >> > by outgoing2.securityfocus.com (Postfix) with QMQP
> >> >> > id 4018A1437B0; Fri, 14 May 2004 17:53:53 -0600 (MDT)
> >> >> >Mailing-List: contact
> security-basics-help () securityfocus com; run by
> >> >ezmlm
> >> >> >Precedence: bulk
> >> >> >List-Id: <security-basics.list-id.securityfocus.com>
> >> >> >List-Post: <mailto:security-basics () securityfocus com>
> >> >> >List-Help: <mailto:security-basics-help () securityfocus com>
> >> >> >List-Unsubscribe:
> >> ><mailto:security-basics-unsubscribe () securityfocus com>
> >> >> >List-Subscribe:
> <mailto:security-basics-subscribe () securityfocus com>
> >> >> >Delivered-To: mailing list security-basics () securityfocus com
> >> >> >Delivered-To: moderator for security-basics () securityfocus com
> >> >> >Received: (qmail 13781 invoked from network); 13 May
> 2004 21:45:06
> >> >-0000
> >> >> >From: "Marc" <gg () stober mailsnare net>
> >> >> >To: <security-basics () securityfocus com>
> >> >> >Subject: Strange pings from 127.0.0.1
> >> >> >Date: Thu, 13 May 2004 23:55:35 -0400
> >> >> >Message-ID:
> <GAEPLEDFDDGJLBGAABCNKENBCMAA.gg () stober mailsnare net>
> >> >> >MIME-Version: 1.0
> >> >> >Content-Type: text/plain;
> >> >> > charset="iso-8859-1"
> >> >> >Content-Transfer-Encoding: 7bit
> >> >> >X-Priority: 3 (Normal)
> >> >> >X-MSMail-Priority: Normal
> >> >> >X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
> >> >> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> >> >> >Importance: Normal
> >> >> >
> >> >> >
> >> >> >The networked applications I am responsbile for have
> been performing
> >> >slowly.
> >> >> >When I tried to run Ethereal on my computer, I found
> some odd ICMP echo
> >> >> >request (ping) packets with a source IP of 127.0.01,
> to addresses both
> >> >> >within our 192.168.1.* network as well as to random
> Internet addresses.
> >> >The
> >> >> >source and destination Mac addresses aren't anything I
> can associate
> >> >with
> >> >a
> >> >> >computer on our network (and they're not the real Mac
> address of my
> >> >> >computer), so I think maybe these packets are spoofed?
> Could this be
> >> >some
> >> >> >sort of virus or DOS attack somewhere within our
> network? I've haven't
> >> >seen
> >> >> >anything quite like this mentioned online anywhere.
> >> >> >
> >> >> >Thanks, Marc
> >> >> >
> >> >> >
> >> >>
> >>
> >>------------------------------------------------------------
> ---------------
> >> >> >Ethical Hacking at the InfoSec Institute. Mention this
> ad and get $545
> >> >off
> >> >> >any course! All of our class sizes are guaranteed to
> be 10 students or
> >> >less
> >> >> >to facilitate one-on-one interaction with one of our expert
> >> >instructors.
> >> >> >Attend a course taught by an expert instructor with years of
> >> >in-the-field
> >> >> >pen testing experience in our state of the art hacking
> lab. Master the
> >> >skills
> >> >> >of an Ethical Hacker to better assess the security of your
> >> >organization.
> >> >> >Visit us at:
> >> >>
> >http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> >> >>
> >>
> >>------------------------------------------------------------
> ---------------
> >> >-
> >> >> >
> >> >> >
> >> >>
> >> >>
> >>
> >-------------------------------------------------------------
> -------------
> >> >-
> >> >> Ethical Hacking at the InfoSec Institute. Mention this
> ad and get $545
> >> >off
> >> >> any course! All of our class sizes are guaranteed to be
> 10 students or
> >> >less
> >> >> to facilitate one-on-one interaction with one of our
> expert instructors.
> >> >> Attend a course taught by an expert instructor with years of
> >> >in-the-field
> >> >> pen testing experience in our state of the art hacking
> lab. Master the
> >> >skills
> >> >> of an Ethical Hacker to better assess the security of
> your organization.
> >> >> Visit us at:
> >> >>
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> >> >>
> >>
> >-------------------------------------------------------------
> -------------
> >> >--
> >> >>
> >> >>
> >> >
> >> >
> >>
> >> _________________________________________________________________
> >> Watch the online reality show Mixed Messages with a friend
> and enter to win
> >> a trip to NY
> >>
> http://www.msnmessenger-download.click-url.com/go/onm00200497a
ve/direct/01/
>>
>>
>> ------------------------------------------------------------------------- 
--
>> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off
>> any course! All of our class sizes are guaranteed to be 10 students or
less
>> to facilitate one-on-one interaction with one of our expert instructors. >> Attend a course taught by an expert instructor with years of in-the-field 
>> pen testing experience in our state of the art hacking lab. Master the
>> skills of an Ethical Hacker to better assess the security of your
>> organization. Visit us at:
>> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>> ------------------------------------------------------------------------- 
---
>>
>
>---------------------------------------------------------------------------
>Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off >any course! All of our class sizes are guaranteed to be 10 students or less 
>to facilitate one-on-one interaction with one of our expert instruct

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------



_________________________________________________________________
MSN Toolbar provides one-click access to Hotmail from any Web page – FREE download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/ 


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html 
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: