Re: ICMP PING NMAP to 149.1.1.1

[Joe Hill <joehill () sympatico ca>]

On Sat, 5 Apr 2003 17:18:11 -0600 (CST)
"Kenneth G. Arnold" <bkarnold () cbu edu> wrote:

> Within the last week I have noticed very strange activity for ICMP
> PING NMAP.  It started with one user and now it has spread to several
> more. It has so far been restricted to users connecting through
> dial-in access to a modem pool.  Shortly after the user connects, the
> machine starts sending ICMP PING NMAP to internet address 149.1.1.1 at
> the rate of 2 pings every 2-3 seconds. That comes out to about 3000
> per hour. I have seen totals go as high as 17,000 per day from one
> source when it is connected.  The only reason it stops is that the
> person finally disconnects.
>
> I searched the internet for an explanation for this and the only thing
> I could find was that some freeware/shareware has code from
> timesink.com built into it that sends pings to this address and tcp
> data to other locations within its domain.  Timesink.com makes spyware
> that sends information about the user's activity to the company
> through the tcp sessions.  I have set up a rule to check for any
> activity from our domain to timesink.com and all I see is the ICMP
> PING NMAP activity.  It seems unlikley that a company would have a
> product send it information at the rate that I am seeing.  I would
> expect to see tcp sessions also and I don't see any.  I have searched
> Symantec's site looking for a virus that would cause this but found
> nothing.  Could this be a disgruntled person who is distributing a
> program that performs a distributed denial of service attack against
> timesink.com? I have tried pinging 149.1.1.1 myself and it doesn't
> appear to be answering pings.
>
> Has anyone else encountered this situation in your logs? Does anyone
> know what is going on?

could it be some form of "keepalive" app that the users are using, to
keep their connection from timing out? One question, if more than one
user is connected to the modem pool, are the probes *all* coming from
the same IP?!

Got this with dig:

; <<>> DiG 9.2.1 <<>> 149.1.1.1
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26439
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;149.1.1.1.                     IN      A

;; AUTHORITY SECTION:
.                       86400   IN      SOA     A.ROOT-SERVERS.NET.
NSTLD.VERISIGN-GRS.COM. 2003040501 1800 900 604800 86400

;; Query time: 103 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Sat Apr  5 19:42:08 2003
;; MSG SIZE  rcvd: 102

as for what all that means...

> Ken
>
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: ValueWeb: 
> Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
> No other company gives more support or power for your dedicated server
> http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users