Security Incidents mailing list archives
Re: Strings of 'EEEE' in pings...
From: Chris Keladis <Chris.Keladis () cmc cwo net au>
Date: Sat, 26 Jan 2002 08:01:16 +1100
Peter Bates wrote:
Yes it's a ping echo/reply pair, but why the string of EE's?
Good question. My guess would be some kind of automated scanning tool. I could have sworn i've seen ICMP ping/pong packets with E's as the payload, but i cant pinpoint where.
I could recreate this slightly using 'ping -p 45 host' from another system, but it was still slightly different at the front...
It probably was the data for a timeval struct which ping uses to work out the RTT times. Your packets are made from a dedicated tool of some kind.
Can anyone explain this, or what might be generating this traffic? The internal host in question appears to be a Windows machine, but we'll only be able to investigate properly after the weekend.
Just looking at my Snort rules, i found that WebTrends Scanner sends packets filled with 0x45's (E's), the only difference being is they have 4 leading NULL bytes whereas yours dont. WebTrends make a security scanning product, perhaps this it? Unfortunately Google didn't yield much more information. :( HIH, Chris. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strings of 'EEEE' in pings... Peter Bates (Jan 25)
- Re: Strings of 'EEEE' in pings... Chris Keladis (Jan 25)
- <Possible follow-ups>
- RE: Strings of 'EEEE' in pings... dlaumann (Jan 25)