Security Incidents mailing list archives

Strings of 'EEEE' in pings...

From: "Peter Bates" <Peter.Bates () lshtm ac uk>
Date: Fri, 25 Jan 2002 19:05:58 +0000


Hello all...

I've searched on Google, and other than some short discussion
in the past, I've nothing to answer my question...

I saw some of this traffic today, watching a machine which had
made several failed attempts to connect to servers they shouldn't
(both machines are internal), and then seeing some SNMP traffic
to external hosts which I failed to capture...

What I saw was this: (snort -vde capture)

01/25-18:05:09.399334 8:0:20:9E:ED:B3 -> 0:10:F6:8E:A0:0 type:0x800
len:0x4A
(INTERNAL) -> (EXTERNAL) ICMP TTL:62 TOS:0x0 ID:43296 IpLen:20
DgmLen:60
Type:8  Code:0  ID:1   Seq:9  ECHO
45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/25-18:05:09.419335 0:10:F6:8E:A0:0 -> 8:0:20:9E:ED:B3 type:0x800
len:0x4A
(EXTERNAL) -> (INTERNAL) ICMP TTL:113 TOS:0x0 ID:44568 IpLen:20
DgmLen:60
Type:0  Code:0  ID:1  Seq:9  ECHO REPLY
45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Yes it's a ping echo/reply pair, but why the string of EE's?

I could recreate this slightly using 'ping -p 45 host' from another
system,
but it was still slightly different at the front...

Can anyone explain this, or what might be generating this traffic?

The internal host in question appears to be a Windows machine, but
we'll only be able to investigate properly after the weekend.



-------------------------------------------------------------------------------------------------------------------->
Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-927 2124 / Fax: 0207- 636 9838 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Strings of 'EEEE' in pings... Peter Bates (Jan 25)
- Re: Strings of 'EEEE' in pings... Chris Keladis (Jan 25)
- <Possible follow-ups>
- RE: Strings of 'EEEE' in pings... dlaumann (Jan 25)