RE: Icmp Ping

["Jim Hendrick" <jrhendri () maine rr com>]

I don't recognize that payload, but I'd bet it is some kind of "covert
channel", like a control channel to a backdoor on your box (Loki uses this).
Here us a link that describes it:
http://www.sans.org/resources/idfaq/traffic.php?printer=Y


Not to be alarmist, but it is looking more and more like the box has been
had.

> The traffic is coming into the box and not out.  But
> reading the links above, if the traffic is coming into the box and
> that the traffic is actually a PONG (and not a PING), then does
> that means it's actually responding to a Ping originating from
> within the network?   Or did I misunderstand the last link?  I
> had trouble understanding it and only kinda guessed the meaning.

If it is ICMP echo reply, it does not mean your box sent an echo request at
all.
Could be that the malware is assuming your firewall will let in echo replies
so your folks can ping out.

> It's still going on.  And now, I've got another different
> Icmp response
> with a payload of :-
>
> 000 : 37 FF 01 00 00 00 0B B8 00 03 D5 EB 4E EA B8 2D
> 7...........N..-
> 010 : 0E 74 6F 70 2D 36 30 30 31 2D 34 32 30 30 30 00
> .top-6001-42000.
> 020 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 030 : 00 00                                             ..
>
> Does anyone recognize this kind of command?

>



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users