Security Incidents mailing list archives

RE: ICMP Help

From: "W Shawn Falconbury" <shawn () wyetech net>
Date: Thu, 28 Jun 2001 15:15:54 -0500



We were hit with a ICMP flood attack earlier this week I was able to
trace the attack back to a couple of bots programmed to exploit a known
windows IIS hole and set up house-keeping on a zombie after which it
starts generating ICMP foods to what seems like random IP address. 


 6/27/2001 9:16:42 PM.4157
0000:    21 45 00 00 38 00 00 00 00 FA 01 1C 9C 9D 82 44
!E..8....ú..D
0010:    09 D8 4C EA 50 03 01 B6 D1 00 00 00 00 45 00 00
.ØLêP..¶Ñ....E..
0020:    30 18 53 40 00 7B 06 AE 1F D8 4C EA 50 D9 93 9D
0.S@.{.®.ØLêPÙ
0030:    24 08 BA 00 50 7B 36 C1 EC
$.º.P{6Áì       

6/27/2001 9:16:42 PM.4357
0000:    21 45 00 00 38 00 00 00 00 FA 01 D7 DF 3F 7A E6
!E..8....ú.×ß?zæ
0010:    CD D8 4C EA 50 03 01 13 63 00 00 00 00 45 00 00
ÍØLêP...c....E..
0020:    30 18 54 40 00 7B 06 86 EC D8 4C EA 50 6A 86 33
0.T@.{.ìØLêPj3
0030:    64 08 B7 00 50 7B 34 65 60
d.·.P{4e`       

6/27/2001 9:16:42 PM.4858
0000:    21 45 00 00 38 00 00 00 00 FA 01 1C 9C 9D 82 44
!E..8....ú..D
0010:    09 D8 4C EA 50 03 01 79 CF 00 00 00 00 45 00 00
.ØLêP..yÏ....E..
0020:    30 18 58 40 00 7B 06 3B 97 D8 4C EA 50 6E B1 7A
0.X@.{.;ØLêPn±z
0030:    8A 08 BE 00 50 7B 39 FE E7
.¾.P{9þç       

6/27/2001 9:16:42 PM.5158
0000:    21 45 00 00 38 00 00 00 00 FA 01 1C 9C 9D 82 44
!E..8....ú..D
0010:    09 D8 4C EA 50 03 01 7F 39 00 00 00 00 45 00 00
.ØLêP..9....E..
0020:    30 18 5B 40 00 7B 06 A5 85 D8 4C EA 50 36 DA 48
0.[@.{.¥ØLêP6ÚH
0030:    70 08 EB 00 50 7B 5A F9 2F
p.ë.P{Zù/       

6/27/2001 9:16:42 PM.5259
0000:    21 45 00 00 38 00 00 00 00 FA 01 1C 9C 9D 82 44
!E..8....ú..D
0010:    09 D8 4C EA 50 03 01 EF FD 00 00 00 00 45 00 00
.ØLêP..ïý....E..
0020:    30 18 5A 40 00 7B 06 A3 4C D8 4C EA 50 DA 5A A7
0.Z@.{.£LØLêPÚZ§
0030:    29 08 F4 00 50 7B 61 88 5B
).ô.P{a[       



I do have the bots if anyone wants to check them out.



W. Shawn Falconbury
MIS Director Wyetech Inc.
shwn () wyetech net



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

http://aris.securityfocus.com

Current thread:

ICMP Help Portnoy, Gary (Jun 29)
- RE: ICMP Help W Shawn Falconbury (Jun 29)
- Re: ICMP Help Johannes B. Ullrich (Jun 29)