Security Basics mailing list archives

Re: Ping Cyberkit 2.2

From: Karma <steve () frij com>
Date: Sat, 13 Sep 2003 08:59:19 +1000

The ICMP packets from Nachi/Welchia resembles the Cyberkit packets with 64
(?) hexadecimal 'aa' as the content.

If that is the case, I wouldnt be worried. The sources are mostly spoofed,
but mostly class B

regards

Steve


----- Original Message ----- 
From: "Dr Aldo Medina" <aldomedina () hotpop com>
To: <security-basics () securityfocus com>
Sent: Friday, September 12, 2003 12:12 PM
Subject: Ping Cyberkit 2.2

Since about a week, my snort logs are full of messages like this:

Sep  6 12:27:56 linuxserver snort: [1:483:2] ICMP PING CyberKit 2.2
Windows [Classification: Misc activity] [Priority: 3]: {ICMP}
200.95.132.194 -> 200.95.123.16
Sep  6 12:29:23 linuxserver snort: [1:483:2] ICMP PING CyberKit 2.2
Windows [Classification: Misc activity] [Priority: 3]: {ICMP}
200.95.66.113 -> 200.95.123.16Sep  6 12:31:24 linuxserver snort:
[1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity]
[Priority: 3]: {ICMP} 200.95.132.65 -> 200.95.123.16Sep  6 12:39:01
linuxserver snort: [1:483:2] ICMP PING CyberKit 2.2 Windows
[Classification: Misc activity] [Priority: 3]: {ICMP} 200.95.21.229 ->
200.95.123.16Sep  6 12:41:52 linuxserver snort: [1:483:2] ICMP PING
CyberKit 2.2 Windows [Classification: Misc activity] [Priority: 3]:
{ICMP} 200.95.132.88 -> 200.95.123.16Sep  6 12:45:33 linuxserver snort:
[1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity]
[Priority: 3]: {ICMP} 200.95.132.131 -> 200.95.123.16
Sep  6 12:48:14 linuxserver snort: [1:483:2] ICMP PING CyberKit 2.2
Windows [Classification: Misc activity] [Priority: 3]: {ICMP}
200.95.129.36 -> 200.95.123.16Sep  6 12:51:10 linuxserver snort:
[1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity]
[Priority: 3]: {ICMP} 200.95.33.116 -> 200.95.123.16

Running Linux Debian Woody. Should I be worried?

TIA.



--------------------------------------------------------------------------

Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
--------------------------------------------------------------------------

--



---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

Current thread:

Ping Cyberkit 2.2 Dr Aldo Medina (Sep 12)
- Re: Ping Cyberkit 2.2 Karma (Sep 15)
  - RE: Ping Cyberkit 2.2 Ian Kennedy (Sep 15)
- Re: Ping Cyberkit 2.2 GSimmonds (Sep 15)
- <Possible follow-ups>
- RE: Ping Cyberkit 2.2 Ryan Belcher (Sep 12)