Snort mailing list archives
ICMP PING NMAP to 149.1.1.1
From: "Kenneth G. Arnold" <bkarnold () cbu edu>
Date: Sat, 5 Apr 2003 17:18:11 -0600 (CST)
Within the last week I have noticed very strange activity for ICMP PING NMAP. It started with one user and now it has spread to several more. It has so far been restricted to users connecting through dial-in access to a modem pool. Shortly after the user connects, the machine starts sending ICMP PING NMAP to internet address 149.1.1.1 at the rate of 2 pings every 2-3 seconds. That comes out to about 3000 per hour. I have seen totals go as high as 17,000 per day from one source when it is connected. The only reason it stops is that the person finally disconnects. I searched the internet for an explanation for this and the only thing I could find was that some freeware/shareware has code from timesink.com built into it that sends pings to this address and tcp data to other locations within its domain. Timesink.com makes spyware that sends information about the user's activity to the company through the tcp sessions. I have set up a rule to check for any activity from our domain to timesink.com and all I see is the ICMP PING NMAP activity. It seems unlikley that a company would have a product send it information at the rate that I am seeing. I would expect to see tcp sessions also and I don't see any. I have searched Symantec's site looking for a virus that would cause this but found nothing. Could this be a disgruntled person who is distributing a program that performs a distributed denial of service attack against timesink.com? I have tried pinging 149.1.1.1 myself and it doesn't appear to be answering pings. Has anyone else encountered this situation in your logs? Does anyone know what is going on? Ken ------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP PING NMAP to 149.1.1.1 Kenneth G. Arnold (Apr 05)
- Re: ICMP PING NMAP to 149.1.1.1 Joe Hill (Apr 05)
- Re: ICMP PING NMAP to 149.1.1.1 Kenneth G. Arnold (Apr 05)
- Re: ICMP PING NMAP to 149.1.1.1 Jeff O'Neal (Apr 06)
- Re: ICMP PING NMAP to 149.1.1.1 Joe Hill (Apr 06)
- Re: ICMP PING NMAP to 149.1.1.1 Kenneth G. Arnold (Apr 05)
- Re: ICMP PING NMAP to 149.1.1.1 Joe Hill (Apr 05)