Snort mailing list archives

ICMP PING NMAP to 149.1.1.1

From: "Kenneth G. Arnold" <bkarnold () cbu edu>
Date: Sat, 5 Apr 2003 17:18:11 -0600 (CST)

Within the last week I have noticed very strange activity for ICMP PING
NMAP.  It started with one user and now it has spread to several more. It
has so far been restricted to users connecting through dial-in access to a
modem pool.  Shortly after the user connects, the machine starts sending
ICMP PING NMAP to internet address 149.1.1.1 at the rate of 2 pings every
2-3 seconds. That comes out to about 3000 per hour. I have seen totals go
as high as 17,000 per day from one source when it is connected.  The only
reason it stops is that the person finally disconnects.

I searched the internet for an explanation for this and the only thing I
could find was that some freeware/shareware has code from timesink.com
built into it that sends pings to this address and tcp data to other
locations within its domain.  Timesink.com makes spyware that sends
information about the user's activity to the company through the tcp
sessions.  I have set up a rule to check for any activity from our domain
to timesink.com and all I see is the ICMP PING NMAP activity.  It seems
unlikley that a company would have a product send it information at the
rate that I am seeing.  I would expect to see tcp sessions also and I
don't see any.  I have searched Symantec's site looking for a virus that
would cause this but found nothing.  Could this be a disgruntled person
who is distributing a program that performs a distributed denial of
service attack against timesink.com? I have tried pinging 149.1.1.1 myself
and it doesn't appear to be answering pings.

Has anyone else encountered this situation in your logs? Does anyone know
what is going on?

Ken





-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ICMP PING NMAP to 149.1.1.1 Kenneth G. Arnold (Apr 05)
- Re: ICMP PING NMAP to 149.1.1.1 Joe Hill (Apr 05)
  - Re: ICMP PING NMAP to 149.1.1.1 Kenneth G. Arnold (Apr 05)
    - Re: ICMP PING NMAP to 149.1.1.1 Jeff O'Neal (Apr 06)
    - Re: ICMP PING NMAP to 149.1.1.1 Joe Hill (Apr 06)