Security Basics mailing list archives

Re: which process performing ICMP echo request

From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 2 May 2006 00:05:59 +0200

On 2006-05-01 gosi.infosec () gmail com wrote:

our IDS detect a huge number of echo requests from one source address

to different unknown addresses

is there any way to identify the process in the machine performing
such activity

i tried using  NETSTAT -a -o -n  but nothing shown regarding these IP
Addresses


Neither netstat nor TCPView will show you what process is sending ICMP
packets. Assuming you have Windows XP (from the netstat options) you may
try PortReporter [1] or some personal firewall software on the box
sending the suspicious traffic.

Also try to analyze the traffic itself. Run Ethereal [2] or some other
protocol analyzer on that box. Better: put a network hub between the
suspicious box and the switch and connect a second (clean) box to that
hub. Run Ethereal on that second box.

[1] http://www.ethereal.com/
[2] http://support.microsoft.com/default.aspx?scid=kb;en-us;837243

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected. 
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------

Current thread:

which process performing ICMP echo request ahmad mubarak (May 01)
- Re: which process performing ICMP echo request Ansgar -59cobalt- Wiechers (May 02)
- <Possible follow-ups>
- Re: which process performing ICMP echo request dgiesema (May 01)