-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is everyone else seeing ICMP echo request packets sent to random IP's from what appear to be insecure windows machines? The pings seem to be appearing every few minutes, and don't seem to be isolated to any particular ISP, or even anywhere in particular in the world, which is easily confirmed by ssh'ing to machines in the US and EU and doing tcpdump and seeing exactly the same traffic. The pings look like: 00:53:59.511049 61.85.33.233 > xx.xx.xx.xx: icmp: echo request (ttl 114, id 32026, len 92) 0x0000 4500 005c 7d1a 0000 7201 028e 3d55 21e9 E..\}...r...=U!. 0x0010 xxxx xxxx 0800 fba0 0400 a309 aaaa aaaa .m.M............ 0x0020 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0030 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0040 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0050 aaaa aaaa aaaa aaaa aaaa aaaa ............ This seems to have been going on for quite a long time (a week? two weeks?) and the source addresses seem rather varied. Current speculation is that this is an attack on the source address done by spoofing the source to be the target and sending to legitimate destination addresses. Does anyone have any more information? - -- Xerox does it again and again and again and ... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Only when you are sure they have you, can you stop being paranoid iD8DBQE/QM/rcAgRpy8z8UQRAjAIAKC8So3A3cRgOuIjJYx9M6GwMMQ0ewCgj5+u kmG5NtMLnUx71k7c6eyQpyI= =LEDs -----END PGP SIGNATURE-----
Further to this, most (if not all) of the pinging machines are listening on port 707, and 1025 (as well as 139 often). Perhaps a new bug for the week? Cheers, Tim. On Tue, Aug 19, 2003 at 01:08:59AM +1200, Perry Lorier wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Is everyone else seeing ICMP echo request packets sent to random IP's from what appear to be insecure windows machines? The pings seem to be appearing every few minutes, and don't seem to be isolated to any particular ISP, or even anywhere in particular in the world, which is easily confirmed by ssh'ing to machines in the US and EU and doing tcpdump and seeing exactly the same traffic.
The pings look like:
00:53:59.511049 61.85.33.233 > xx.xx.xx.xx: icmp: echo request (ttl 114, id 32026, len 92) 0x0000 4500 005c 7d1a 0000 7201 028e 3d55 21e9 E..\}...r...=U!. 0x0010 xxxx xxxx 0800 fba0 0400 a309 aaaa aaaa .m.M............ 0x0020 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0030 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0040 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0050 aaaa aaaa aaaa aaaa aaaa aaaa ............
-- Tim Thomson
Tim Thomson wrote:
Further to this, most (if not all) of the pinging machines are listening on port 707, and 1025 (as well as 139 often).
Then perhaps this report might shed some light. <snip> WORM_MSBLAST.D Description: TrendLabs has been receiving several infection reports of this new variant of WORM_MSBLAST.A http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.... It usually arrives as DLLHOST.EXE (~10,240 bytes) and opens port 707, for its malicious routines. (Note: There is a normal system file with the name DLLHOST.EXE but is only 6 kilobytes in size.) </snip> New variant of the MSBLAST virus. Haven't had a good look at this as I've only just finished work and sleep is the most important thing on my mind right now. -- Gavin Grieve
On Tue, Aug 19, 2003 at 03:11:49AM +1200, Gavin Grieve wrote:
Then perhaps this report might shed some light.
New variant of the MSBLAST virus.
Odd that it pings before scanning. Didn't notice the 135 probes after the ping, because so many people have 135 blocked now, so only the odd one got through after the ping. I guess this makes it more dangerous, as malicious people will be able to see the pings, even if they can't see the 135 connection, and then they could connect in on port 707. Nice job with the automatic patching of the machine from various vulnerbilities... it probably does it without requiring a reboot :P Cheers, Tim.
Do keep an eye on that ICMP traffic. People are seemingly forgetting that this RPC vulnerability can be used as a powerful DDoS tool... Already reports of massive DDoS attacks being generated by botnets being setup around the place on vulnerable machines.... Cheers, M -----Original Message----- From: Tim Thomson [mailto:tim.thomson(a)paradise.net.nz] Sent: Tuesday, August 19, 2003 4:11 AM To: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Weird pings On Tue, Aug 19, 2003 at 03:11:49AM +1200, Gavin Grieve wrote:
Then perhaps this report might shed some light.
New variant of the MSBLAST virus.
Odd that it pings before scanning. Didn't notice the 135 probes after the ping, because so many people have 135 blocked now, so only the odd one got through after the ping. I guess this makes it more dangerous, as malicious people will be able to see the pings, even if they can't see the 135 connection, and then they could connect in on port 707. Nice job with the automatic patching of the machine from various vulnerbilities... it probably does it without requiring a reboot :P Cheers, Tim. _______________________________________________ Nznog mailing list Nznog(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
I'm seeing an echo request every 5 seconds or so to my lil /27 range.
Same size & content. It began early yesterday evening.
Zach.
On Tue, 19 Aug 2003 01:08:59, Perry Lorier
Is everyone else seeing ICMP echo request packets sent to random IP's from what appear to be insecure windows machines? The pings seem to be appearing every few minutes, and don't seem to be isolated to any particular ISP, or even anywhere in particular in the world, which is easily confirmed by ssh'ing to machines in the US and EU and doing tcpdump and seeing exactly the same traffic.
-- Services & Support Bulletin Wireless | www.bulletinwireless.com This email is digitally signed | Key ID 0x3F9AA9A2
Could it have something to do with this new worm, W32/Nachi? New variant of Blaster worm "fixes" infected systems "Microsoft Windows users infected last week by the W32.Blaster worm might appreciate the attention of a new version of that worm that cleans corrupted systems, then installs a software patch to prevent future infections. " Or not, as the case may be... "After infecting vulnerable Windows 2000 or Window XP machines, the new worm searches for and removes the Blaster worm file, Msblast.exe, and attempts to download and install a Windows software patch from Microsoft that closes the security hole used by the worm, according to antivirus companies. The new worm hides behind a different file name from the Blaster worm, Dllhost.exe, which allows it to bypass antivirus software configured to detect and stop Blaster, according to Ian Hameroff, security strategist at Computer Associates International." http://computerworld.co.nz/webhome.nsf/nl/11EB8FEAE5D99127CC256D8600740667
participants (6)
-
Gavin Grieve -
Mark Piper -
Paul Brislen -
Perry Lorier -
Tim Thomson -
Zach Bagnall