RE: ICMP Help

From: W Shawn Falconbury (shawnat_private)
Date: Thu Jun 28 2001 - 13:15:54 PDT

Next message: gattacaat_private: "Re: Attempted unicode scans. on network"

Previous message: Portnoy, Gary: "ICMP Help"
In reply to: Portnoy, Gary: "ICMP Help"
Next in thread: Johannes B. Ullrich: "Re: ICMP Help"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We were hit with a ICMP flood attack earlier this week I was able to
trace the attack back to a couple of bots programmed to exploit a known
windows IIS hole and set up house-keeping on a zombie after which it
starts generating ICMP foods to what seems like random IP address. 


 6/27/2001 9:16:42 PM.4157
0000:	 21 45 00 00 38 00 00 00 00 FA 01 1C 9C 9D 82 44
!E..8....ú..œ‚D
0010:	 09 D8 4C EA 50 03 01 B6 D1 00 00 00 00 45 00 00
.ØLêP..¶Ñ....E..
0020:	 30 18 53 40 00 7B 06 AE 1F D8 4C EA 50 D9 93 9D
0.S@.{.®.ØLêPÙ“
0030:	 24 08 BA 00 50 7B 36 C1 EC
$.º.P{6Áì       

6/27/2001 9:16:42 PM.4357
0000:	 21 45 00 00 38 00 00 00 00 FA 01 D7 DF 3F 7A E6
!E..8....ú.×ß?zæ
0010:	 CD D8 4C EA 50 03 01 13 63 00 00 00 00 45 00 00
ÍØLêP...c....E..
0020:	 30 18 54 40 00 7B 06 86 EC D8 4C EA 50 6A 86 33
0.T@.{.†ìØLêPj†3
0030:	 64 08 B7 00 50 7B 34 65 60
d.·.P{4e`       

6/27/2001 9:16:42 PM.4858
0000:	 21 45 00 00 38 00 00 00 00 FA 01 1C 9C 9D 82 44
!E..8....ú..œ‚D
0010:	 09 D8 4C EA 50 03 01 79 CF 00 00 00 00 45 00 00
.ØLêP..yÏ....E..
0020:	 30 18 58 40 00 7B 06 3B 97 D8 4C EA 50 6E B1 7A
0.X@.{.;—ØLêPn±z
0030:	 8A 08 BE 00 50 7B 39 FE E7
Š.¾.P{9þç       

6/27/2001 9:16:42 PM.5158
0000:	 21 45 00 00 38 00 00 00 00 FA 01 1C 9C 9D 82 44
!E..8....ú..œ‚D
0010:	 09 D8 4C EA 50 03 01 7F 39 00 00 00 00 45 00 00
.ØLêP..9....E..
0020:	 30 18 5B 40 00 7B 06 A5 85 D8 4C EA 50 36 DA 48
0.[@.{.¥…ØLêP6ÚH
0030:	 70 08 EB 00 50 7B 5A F9 2F
p.ë.P{Zù/       

6/27/2001 9:16:42 PM.5259
0000:	 21 45 00 00 38 00 00 00 00 FA 01 1C 9C 9D 82 44
!E..8....ú..œ‚D
0010:	 09 D8 4C EA 50 03 01 EF FD 00 00 00 00 45 00 00
.ØLêP..ïý....E..
0020:	 30 18 5A 40 00 7B 06 A3 4C D8 4C EA 50 DA 5A A7
0.Z@.{.£LØLêPÚZ§
0030:	 29 08 F4 00 50 7B 61 88 5B
).ô.P{aˆ[       



I do have the bots if anyone wants to check them out.



W. Shawn Falconbury
MIS Director Wyetech Inc.
shwnat_private



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: gattacaat_private: "Re: Attempted unicode scans. on network"
Previous message: Portnoy, Gary: "ICMP Help"
In reply to: Portnoy, Gary: "ICMP Help"
Next in thread: Johannes B. Ullrich: "Re: ICMP Help"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 29 2001 - 08:24:31 PDT