In message <20031013045849.5E4DE3C486EB(a)basilica.la.naos.co.nz>, Ewen McNeill wr ites:
In message <874qyd4v8f.fsf(a)it029205.massey.ac.nz>, James Riden writes:
Ewen McNeill
writes: Is anyone else seeing very high volumes of ICMP echo requests today (ie, in the order of hundreds/thousands per second)? [....]
What do the ping packets look like?
block in on ste7: [internal ip] > [victim ip]: icmp: echo request 4500 005c 58fa 0000 7f01 4929 0a04 0102 3df3 5085 0800 c9c8 0200 d6e1 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
As James pointed out, that's a truncated packet (to tcpdump's default snaplen). The real packet is 92 octets, with 64 octets of payload (0xaa octets). Which is what the Welchia/Nachi worm sends out. Desktop support at the client has found several of the machines generating these ICMP streams to be infected with the Welchia/Nachi worm, and are busy checking the rest. They also believe they've identified the source (a laptop that arrived back today IIRC). It has, however, highlighted which machines didn't get put into the default policy for lock downs, updates, etc .... So nothing new, it seems. Just another infection with another windows worm. Sorry to trouble you all. Ewen