Snort mailing list archives
Strange ICMP traffic. Perhaps a worm?
From: "Harry M" <harrym () the-group org>
Date: Thu, 11 Dec 2003 23:00:31 -0000
I'm getting lots of ICMP traffic that looks pretty odd to me. They are all ping packets with a fairly strange payload: 000 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ 010 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ 020 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ 030 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ What makes me think this is a worm is that all the traffic is coming from other customers of my ISP (NTL), and the source ip addresses increment very neatly - 80.4, 80.5, 80.6, 80.7 - which looks rather like it could be a set of machines infected by a worm that increments the subnet (2nd octect) it targets. Although this doesn't really tally with the apparent lack of any bytecode in the payload, I figured it could be an exploratory probe or somesuch. The rule it's triggering is ICMP PING CyberKit 2.2 Windows (http://www.snort.org/snort-db/sid.html?sid=483) but I find it highly unlikely that this is the actual cause, because of the number of different source addresses (>100). Does anyone have any other ideas? Whatever it is, it's very strange. The thought does occur that my ISP could be doing something sneaky, to which I'd almost certainly object :) I started getting traffic at 2003-12-11 20:18:33 GMT and have been getting it ever since. Arta ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Strange ICMP traffic. Perhaps a worm? Harry M (Dec 15)
- Re: Strange ICMP traffic. Perhaps a worm? Shane Smith (Dec 15)
- <Possible follow-ups>
- RE: Strange ICMP traffic. Perhaps a worm? adam.w.hogan (Dec 15)
- Re: Strange ICMP traffic. Perhaps a worm? Jim Brown (Dec 16)
- RE: Strange ICMP traffic. Perhaps a worm? CGhercoias (Dec 15)
- RE: Strange ICMP traffic. Perhaps a worm? Jack McCarthy (Dec 15)