Security Basics mailing list archives
RE: Strange pings from 127.0.0.1
From: "Timothy Schwimer" <tschwimer () hotmail com>
Date: Sun, 27 Jun 2004 23:02:16 +0000
right on, but the MACs still dont match. thx, t
From: "David Gillett" <gillettdavid () fhda edu> Reply-To: <gillettdavid () fhda edu>To: "'Tim Schwimer'" <tschwimer () hotmail com>, <security-basics () securityfocus com>Subject: RE: Strange pings from 127.0.0.1 Date: Thu, 24 Jun 2004 12:37:19 -0700 I believe some Cisco gear has used DEC chipsets. Check the MAC addresses of your router -- if it's a match, then you know this traffic is coming from outside. David Gillett > -----Original Message----- > From: Tim Schwimer [mailto:tschwimer () hotmail com] > Sent: Thursday, June 24, 2004 9:24 AM > To: security-basics () securityfocus com > Subject: Re: Strange pings from 127.0.0.1 > > > In-Reply-To: <20040618220642.GA17943 () ranjeet-pc2 zultys com> > > Thanks for the suggestions. I'll look into seeing if I can't > trace down the infected device by assuming any target host is > not the source. > As for the MAC, it just doesn't make any sense to me. I know > that they are DEC addresses, and that we do not have any > devices with DEC NIC's. Nor do they show up in the CAM table > on the switch. In addition, port security is turned on for > every active port on the switch. One would think that a > packet with an invlaid source MAC seen by the switch would > cause a port violation and shut the port down. > One of the problems I'm having is the code on the switch is > very old. I've been trying to get it updated but am limited > being that it's a 24x7 production environment (that and the > fact that no one else seems to care about the issue!!!). So I > am not convinced that the issue is not being exacerbated by > some anomolous behavior of the switch. Strange part about it > though is that while I see the traffic on multiple segments, > I do not see it on every port in those segments. > In addition, while I see it both tx and rx on all of my FW > ports, tcpdump on the FW indicates that it is not seeing any > of the traffic at all. Likewise, rules on the FW to block all > of the traffic do not get any hits at all. > Keep the thoughts coming guys. I appreciate it. > -t > > >Received: (qmail 13316 invoked from network); 22 Jun 2004 > 15:45:39 -0000 > >Received: from outgoing.securityfocus.com (HELO > outgoing3.securityfocus.com) (205.206.231.27) > > by mail.securityfocus.com with SMTP; 22 Jun 2004 15:45:39 -0000 > >Received: from lists.securityfocus.com > (lists.securityfocus.com [205.206.231.19]) > > by outgoing3.securityfocus.com (Postfix) with QMQP > > id 2014A237F39; Tue, 22 Jun 2004 03:00:50 -0600 (MDT) > >Mailing-List: contact > security-basics-help () securityfocus com; run by ezmlm > >Precedence: bulk > >List-Id: <security-basics.list-id.securityfocus.com> > >List-Post: <mailto:security-basics () securityfocus com> > >List-Help: <mailto:security-basics-help () securityfocus com> > >List-Unsubscribe: > <mailto:security-basics-unsubscribe () securityfocus com> > >List-Subscribe: <mailto:security-basics-subscribe () securityfocus com> > >Delivered-To: mailing list security-basics () securityfocus com > >Delivered-To: moderator for security-basics () securityfocus com > >Received: (qmail 1849 invoked from network); 19 Jun 2004 > 00:21:45 -0000 > >Date: Fri, 18 Jun 2004 15:06:42 -0700 > >From: Ranjeet Shetye <ranjeet.shetye2 () zultys com> > >To: security-basics () securityfocus com > >Subject: Re: Strange pings from 127.0.0.1 > >Message-ID: <20040618220642.GA17943 () ranjeet-pc2 zultys com> > >Mail-Followup-To: security-basics () securityfocus com > >References: <BAY8-F267zD5J47Oksz00087f7d () hotmail com> > >Mime-Version: 1.0 > >Content-Type: text/plain; charset=us-ascii > >Content-Disposition: inline > >In-Reply-To: <BAY8-F267zD5J47Oksz00087f7d () hotmail com> > >User-Agent: Mutt/1.5.6i > > > > > >consider a packet of the type > > > >Eth_DST=Eth_A > >Eth_SRC=Eth_B > >Eth_Type=IP > >IP_Src=127.0.0.1 > >IP_Dst=IP_D > > > >On Linux - packets from localhost to a local IP dont make it onto the > >network. Assuming the same to be the case on Windows, any > target hosts > >(IP_D) that you see ICMPs for, are probably NOT the origin > of THIS packet. > >This might help you narrow the possible sources of the traffic. > > > >Next, (assuming non-promiscuous mode of operation by the > NIC) I fail to > >understand how the author of this attack intends to reach > his/her targets, > >if the dest MAC addresses are fake! I might be missing > something obvious, > >so if someone can point it out to me, that would be great. thanks. > > > >Instead of an attack, it might be that you have someone on > your network > >who is learning socket or libnet programming, and is testing his/her > >networking coding skills on the corporate network. That might explain > >the non-existant destination MAC addresses - which I admit > again, don't > >make a lot of sense to me. > > > >**Unless**, some kind of an ARP-poisoning scheme is being executed, > >so that switches are forced to forward all traffic on all > ports cos their > >internal arp tables are messed up. > > > >In which case, maybe you need to lock down the arp tables in > your managed > >switches, if you can. > > > >I am very curious about this traffic pattern, please let us know the > >answer once you've resolved it. thanks, > > > >-- > >Ranjeet Shetye > >Senior Software Engineer > >Zultys Technologies > >Ranjeet dot Shetye at Zultys dot com > >http://www.zultys.com/ > > > >The views, opinions, and judgements expressed in this > message are solely those of > >the author. The message contents have not been reviewed or > approved by Zultys. > > > >* Timothy Schwimer (tschwimer () hotmail com) wrote: > >> Not yet. Doesn't sound like you're having the same issue > though. Mine is > >> all ICMP traffic, all sourced from the loopback, but > destined to several > >> different host IP's. In addition, the source and dest MAC > are always the > >> same regardless of the IP's. > >> I'm fairly certain that I've got a compromised host, but > with the source IP > >> being a loopback, I've got no way of deducing which host. > >> > >> > >> >From: Murad Talukdar <talukdar_m () subway com> > >> >To: Tim Schwimer <tschwimer () hotmail com>, > security-basics () securityfocus com > >> >Subject: Re: Strange pings from 127.0.0.1 > >> >Date: Fri, 18 Jun 2004 09:43:07 +1000 > >> > > >> >I've been getting this on my router logs saying that the > tcp got dropped. > >> > Source:127.0.0.1, 80, WAN - Destination:210.80.144.150, > 1912, LAN - > >> >'Suspicious TCP Data' > >> > > >> >Did you work out what it was with the pings? Not sure if > it's similar or > >> >not. > >> > > >> >Murad Talukdar > >> > > >> > > >> >----- Original Message ----- > >> >From: "Tim Schwimer" <tschwimer () hotmail com> > >> >To: <security-basics () securityfocus com> > >> >Sent: Sunday, June 13, 2004 5:24 PM > >> >Subject: Re: Strange pings from 127.0.0.1 > >> > > >> > > >> >> In-Reply-To: > <GAEPLEDFDDGJLBGAABCNKENBCMAA.gg () stober mailsnare net> > >> >> > >> >> I started seeing the same thing on my DMZ segments this > Friday afternoon > >> >at about 4:00pm (figures, huh??). Anyway, I was wondering > what you found > >> >out > >> >about this. Any insight would be appreciated. > >> >> Thanks, > >> >> T > >> >> >Received: (qmail 20239 invoked from network); 14 May > 2004 15:58:54 > >> >-0000 > >> >> >Received: from outgoing.securityfocus.com (HELO > >> >outgoing2.securityfocus.com) (205.206.231.26) > >> >> > by mail.securityfocus.com with SMTP; 14 May 2004 > 15:58:54 -0000 > >> >> >Received: from lists.securityfocus.com (lists.securityfocus.com > >> >[205.206.231.19]) > >> >> > by outgoing2.securityfocus.com (Postfix) with QMQP > >> >> > id 4018A1437B0; Fri, 14 May 2004 17:53:53 -0600 (MDT) > >> >> >Mailing-List: contact > security-basics-help () securityfocus com; run by > >> >ezmlm > >> >> >Precedence: bulk > >> >> >List-Id: <security-basics.list-id.securityfocus.com> > >> >> >List-Post: <mailto:security-basics () securityfocus com> > >> >> >List-Help: <mailto:security-basics-help () securityfocus com> > >> >> >List-Unsubscribe: > >> ><mailto:security-basics-unsubscribe () securityfocus com> > >> >> >List-Subscribe: > <mailto:security-basics-subscribe () securityfocus com> > >> >> >Delivered-To: mailing list security-basics () securityfocus com > >> >> >Delivered-To: moderator for security-basics () securityfocus com > >> >> >Received: (qmail 13781 invoked from network); 13 May > 2004 21:45:06 > >> >-0000 > >> >> >From: "Marc" <gg () stober mailsnare net> > >> >> >To: <security-basics () securityfocus com> > >> >> >Subject: Strange pings from 127.0.0.1 > >> >> >Date: Thu, 13 May 2004 23:55:35 -0400 > >> >> >Message-ID: > <GAEPLEDFDDGJLBGAABCNKENBCMAA.gg () stober mailsnare net> > >> >> >MIME-Version: 1.0 > >> >> >Content-Type: text/plain; > >> >> > charset="iso-8859-1" > >> >> >Content-Transfer-Encoding: 7bit > >> >> >X-Priority: 3 (Normal) > >> >> >X-MSMail-Priority: Normal > >> >> >X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) > >> >> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 > >> >> >Importance: Normal > >> >> > > >> >> > > >> >> >The networked applications I am responsbile for have > been performing > >> >slowly. > >> >> >When I tried to run Ethereal on my computer, I found > some odd ICMP echo > >> >> >request (ping) packets with a source IP of 127.0.01, > to addresses both > >> >> >within our 192.168.1.* network as well as to random > Internet addresses. > >> >The > >> >> >source and destination Mac addresses aren't anything I > can associate > >> >with > >> >a > >> >> >computer on our network (and they're not the real Mac > address of my > >> >> >computer), so I think maybe these packets are spoofed? > Could this be > >> >some > >> >> >sort of virus or DOS attack somewhere within our > network? I've haven't > >> >seen > >> >> >anything quite like this mentioned online anywhere. > >> >> > > >> >> >Thanks, Marc > >> >> > > >> >> > > >> >> > >> > >>------------------------------------------------------------ > --------------- > >> >> >Ethical Hacking at the InfoSec Institute. Mention this > ad and get $545 > >> >off > >> >> >any course! All of our class sizes are guaranteed to > be 10 students or > >> >less > >> >> >to facilitate one-on-one interaction with one of our expert > >> >instructors. > >> >> >Attend a course taught by an expert instructor with years of > >> >in-the-field > >> >> >pen testing experience in our state of the art hacking > lab. Master the > >> >skills > >> >> >of an Ethical Hacker to better assess the security of your > >> >organization. > >> >> >Visit us at: > >> >> > >http://www.infosecinstitute.com/courses/ethical_hacking_training.html > >> >> > >> > >>------------------------------------------------------------ > --------------- > >> >- > >> >> > > >> >> > > >> >> > >> >> > >> > >------------------------------------------------------------- > ------------- > >> >- > >> >> Ethical Hacking at the InfoSec Institute. Mention this > ad and get $545 > >> >off > >> >> any course! All of our class sizes are guaranteed to be > 10 students or > >> >less > >> >> to facilitate one-on-one interaction with one of our > expert instructors. > >> >> Attend a course taught by an expert instructor with years of > >> >in-the-field > >> >> pen testing experience in our state of the art hacking > lab. Master the > >> >skills > >> >> of an Ethical Hacker to better assess the security of > your organization. > >> >> Visit us at: > >> >> > http://www.infosecinstitute.com/courses/ethical_hacking_training.html > >> >> > >> > >------------------------------------------------------------- > ------------- > >> >-- > >> >> > >> >> > >> > > >> > > >> > >> _________________________________________________________________ > >> Watch the online reality show Mixed Messages with a friend > and enter to win > >> a trip to NY > >> > http://www.msnmessenger-download.click-url.com/go/onm00200497a ve/direct/01/ >> >>>> --------------------------------------------------------------------------- >> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off >> any course! All of our class sizes are guaranteed to be 10 students or less>> to facilitate one-on-one interaction with one of our expert instructors. >> Attend a course taught by an expert instructor with years of in-the-field>> pen testing experience in our state of the art hacking lab. Master the >> skills of an Ethical Hacker to better assess the security of your >> organization. Visit us at: >> http://www.infosecinstitute.com/courses/ethical_hacking_training.html>> ---------------------------------------------------------------------------- >> > >--------------------------------------------------------------------------->Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off >any course! All of our class sizes are guaranteed to be 10 students or less>to facilitate one-on-one interaction with one of our expert instruct --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
_________________________________________________________________MSN Toolbar provides one-click access to Hotmail from any Web page FREE download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/
---------------------------------------------------------------------------Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Current thread:
- Re: Strange pings from 127.0.0.1, (continued)
- Re: Strange pings from 127.0.0.1 Kelly John Rose (Jun 23)
- RE: Strange pings from 127.0.0.1 David Gillett (Jun 24)
- RE: Strange pings from 127.0.0.1 Andrew Aris (Jun 24)
- Re: Strange pings from 127.0.0.1 Kelly John Rose (Jun 25)
- Re: Strange pings from 127.0.0.1 Kelly John Rose (Jun 23)
- Re: Strange pings from 127.0.0.1 SecurityFocus Lists (Jun 24)
- Re: Strange pings from 127.0.0.1 Kelly John Rose (Jun 25)
- RE: Strange pings from 127.0.0.1 David Gillett (Jun 25)
- Re: Strange pings from 127.0.0.1 Ranjeet Shetye (Jun 26)