Security Incidents mailing list archives
Strings of 'EEEE' in pings...
From: "Peter Bates" <Peter.Bates () lshtm ac uk>
Date: Fri, 25 Jan 2002 19:05:58 +0000
Hello all... I've searched on Google, and other than some short discussion in the past, I've nothing to answer my question... I saw some of this traffic today, watching a machine which had made several failed attempts to connect to servers they shouldn't (both machines are internal), and then seeing some SNMP traffic to external hosts which I failed to capture... What I saw was this: (snort -vde capture) 01/25-18:05:09.399334 8:0:20:9E:ED:B3 -> 0:10:F6:8E:A0:0 type:0x800 len:0x4A (INTERNAL) -> (EXTERNAL) ICMP TTL:62 TOS:0x0 ID:43296 IpLen:20 DgmLen:60 Type:8 Code:0 ID:1 Seq:9 ECHO 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/25-18:05:09.419335 0:10:F6:8E:A0:0 -> 8:0:20:9E:ED:B3 type:0x800 len:0x4A (EXTERNAL) -> (INTERNAL) ICMP TTL:113 TOS:0x0 ID:44568 IpLen:20 DgmLen:60 Type:0 Code:0 ID:1 Seq:9 ECHO REPLY 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Yes it's a ping echo/reply pair, but why the string of EE's? I could recreate this slightly using 'ping -p 45 host' from another system, but it was still slightly different at the front... Can anyone explain this, or what might be generating this traffic? The internal host in question appears to be a Windows machine, but we'll only be able to investigate properly after the weekend. --------------------------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-927 2124 / Fax: 0207- 636 9838 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strings of 'EEEE' in pings... Peter Bates (Jan 25)
- Re: Strings of 'EEEE' in pings... Chris Keladis (Jan 25)
- <Possible follow-ups>
- RE: Strings of 'EEEE' in pings... dlaumann (Jan 25)