Security Incidents mailing list archives
Re: Odd windows ICMP... any ideas what this is?
From: "Jonathan Clark" <jon_clark () hotmail com>
Date: Mon, 09 Jun 2003 18:01:54 +0000
I have come across this before as well. This is not unusual traffic for a Win2k environment. It's a windows client doing a speed test of its network connection to determine if a group policy should be applied or a roaming profile downloaded. I saw these large ICMP packets containing that JPEG mostly from dial-up users who have slower connections, and always three in a row. The JPEG, if you haven't already looked at it, is a picture of the word "Microsoft" and it's incomplete.
For information on this, check Microsoft knowledgebase article 227260 (http://support.microsoft.com/?id=227260).
- Jonathan
Our IDS has been reporting some large ICMP packets on our internal network. Our internal network is a Windows2000 domain -- servers and clients. - Packet size is always 2090 bytes - Almost always sent from a client or member server to one of the two boxes running Active Directory - The ping payload itself is actually a JPEG of the Microsoft logo. This JPEG can actually be found inside userenv.dll. I googled for any details, and I see that others have run into this before. However, there were no answers, just questions. See these two links for identical packets: http://archives.neohapsis.com/archives/linux/debian/2002-q4/0658.html http://cert.uni-stuttgart.de/archive/debian/security/2002/11/msg00222.html Anyone else seen these? Any idea what's causing them? Is this 'normal' behavior on a W2K network? Other than the fact that they are relatively large ICMP packets, they don't appear to be malicious in any way. There is no other malicious traffic seen on our network. TIA. -TedK __________________________________ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- << smime.p7s >>
_________________________________________________________________MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Odd windows ICMP... any ideas what this is? ted klugman (Jun 09)
- Re: Odd windows ICMP... any ideas what this is? Ryan Yagatich (Jun 10)
- Re: Odd windows ICMP... any ideas what this is? Raistlin (Jun 16)
- Re: Odd windows ICMP... any ideas what this is? Mika Boström (Jun 10)
- RE: Odd windows ICMP... any ideas what this is? Eugene Borukhovich (Jun 10)
- <Possible follow-ups>
- Re: Odd windows ICMP... any ideas what this is? Jonathan Clark (Jun 10)
- Re: Odd windows ICMP... any ideas what this is? Ryan Yagatich (Jun 10)