Security Incidents mailing list archives

strange traffic

From: "Wim Mees" <Wim.Mees () vision rma ac be>
Date: Sat, 25 Jan 2003 11:57:49 +0100


Does anyone know of an application/tool/malware that sends the 
following type of traffic to the broadcast address:
- echo requests with as payload "Hello, is anybody home?"
- udp/7 (echo) datagrams with the same payload

04:52:52.343680 172.16.0.250 > 255.255.255.255: icmp: echo request (ttl 2,
id 6089, len 52)
0x0000   4500 0034 17c9 0000 0201 f3f6 ac10 00fa        E..4............
0x0010   ffff ffff 0800 5084 0000 17c9 4865 6c6c        ......P.....Hell
0x0020   6f2c 2069 7320 616e 7962 6f64 7920 686f        o,.is.anybody.ho
0x0030   6d65 3f00                                      me?.
04:52:54.188615 172.16.0.250.35072 > 255.255.255.255.7:  [no cksum] udp 24
(ttl 2, id 6090, len 52)
0x0000   4500 0034 17ca 0000 0211 f3e5 ac10 00fa        E..4............
0x0010   ffff ffff 8900 0007 0020 0000 4865 6c6c        ............Hell
0x0020   6f2c 2069 7320 616e 7962 6f64 7920 686f        o,.is.anybody.ho
0x0030   6d65 3f00                                      me?.

Wim


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

mIRC Zombie, port 445 Tino Didriksen (Jan 22)
- RE: mIRC Zombie, port 445 Michael LaSalvia (Jan 23)
- <Possible follow-ups>
- Re: mIRC Zombie, port 445 Sami Rautiainen (Jan 23)
  - strange traffic Wim Mees (Jan 25)
    - Re: strange traffic kris carlier (Jan 26)
- RE: mIRC Zombie, port 445 Michael LaSalvia (Jan 25)