Security Incidents mailing list archives

RE: Should I be concerned about?

From: Lance Spitzner <lance () honeynet org>
Date: Wed, 31 Oct 2001 12:43:04 -0600 (CST)

On Wed, 31 Oct 2001, Mike Gilles wrote:

For any data to actually be transferred the packets would have to move up
the OSI model.  (e.g. start a TCP session) So, in short, no I wouldn't be
overly concerned with this traffic.


*sigh*

I'm afraid you have just fallen victim to one of the most common
problems within the security community, underestimating the
enemy.  Anything is possible.

             http://www.phrack.org/show.php?p=51&a=6

-----Original Message-----
From: faial () rio-de-janeiro sns slb com

      Today morning I start receiving a lot of ICMP packets from a host,
apparently in China (if the source address was not spoffed). The first
packet was:

[2001-10-31 11:52:25]  ICMP Destination Unreachable (Port Unreachable)
IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX
hlen=5 TOS=192 dlen=56 ID=37607 flags=0 offset=0 TTL=235 chksum=27228
ICMP: type=Destination Unreachable code=Port Unreachable
checksum=39472 id= seq=
Payload:  length = 32
000 : 00 00 00 00 45 00 00 4E F2 FE 00 00 68 11 8D DF   ....E..N....h...
010 : A3 BA 23 3C CB C1 3F 09 00 89 00 89 00 3A 61 80   ..#&lt;..?......:a.

      following thousands of packets like this:

[2001-10-31 12:42:10]  ICMP Time-To-Live Exceeded in Transit
IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX
hlen=5 TOS=192 dlen=56 ID=49325 flags=0 offset=0 TTL=235 chksum=15510
ICMP: type=Time Exceeded code=0
checksum=48251 id= seq=
Payload:  length = 32
000 : 00 00 00 00 45 00 00 74 4A A4 00 00 01 11 9D 13   ....E..tJ.......
010 : A3 BA 23 3C CB C1 3F 0A 01 03 01 03 00 60 36 1E   ..#&lt;..?......`6.

I know that this can be just legitimate ICMP traffic, but I have a bad
felling about this activity. I am sure that the target machine never tried
to connect to or to send any kind of packet to the 203.193.63.9 machine, so
ICMP Time-To-Live would not be expected. They are "unsolicited" packets.

My question is "Can a hacker forge an ICMP packet to bypass the firewall
and use its payload (payload data is different for each packet received) to
send data to a trojan (listening for ICMP traffic on the target machine)? "



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Should I be concerned about? Jose Carlos Faial (Oct 31)
- Re: Should I be concerned about? Blake Frantz (Oct 31)
- <Possible follow-ups>
- RE: Should I be concerned about? Mike Gilles (Oct 31)
  - RE: Should I be concerned about? Antonio Vasconcelos (Oct 31)
  - RE: Should I be concerned about? Lance Spitzner (Oct 31)