I don't think you should be looking for a ping scan tool. From the data you sent, it seems that the box x.x.x.x tried to connect to 202.46.194.5 on port TCP 32165 and, since that host doesn't exist/is not alive, you get the ICMP Unreachable issued from 204.255.169.37 (some router in the way). The question is, the first packet x.x.x.x:23547 -> 202.46.194.5:32165 was really originated from your network? If not, maybe someone is using x.x.x.x as a zombie host for doing idlescans for 202.46.194.5. Just my .02 Euros Fernando -- Fernando Cardoso - Security Consultant WhatEverNet Computing, S.A. Phone : +351 21 7994200 Praca de Alvalade, 6 - Piso 6 Fax : +351 21 7994242 1700-036 Lisboa - Portugal email : fernando.cardosoat_private http://www.whatevernet.com/ > > Greetings, > > can anyone identify following Ping Scan tool? > > I usually get a few of those 'ICMP unreachables' (supposedly coming > some IP's that don't exist/don't have servers). However, over the > last few days I've seen a drastic increase. Anyone seeing the same? > > Regards, > Frank > > > [**] Ping Scan [**] > 09/14-21:42:32.798231 204.255.169.37 -> x.x.x.x > ICMP TTL:247 TOS:0x0 ID:0 IpLen:20 DgmLen:56 > Type:3 Code:1 DESTINATION UNREACHABLE: HOST UNREACHABLE > ** ORIGINAL DATAGRAM DUMP: > x.x.x.x:23547 -> 202.46.194.5:32165 > TCP TTL:188 TOS:0x8 ID:30922 IpLen:20 DgmLen:40 > Seq: 0x74832EB6 Ack: 0x10BDC00C > ** END OF DUMP > 00 00 00 00 45 08 00 28 78 CA 40 00 BC 06 78 CA ....E..(x.@...x. > xx xx xx xx CA 2E C2 05 5B FB 7D A5 74 83 2E B6 Aj......[.}.t... > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > =+=+ > > -----BEGIN PGP SIGNATURE----- > Version: PGP Personal Privacy 6.5.8 > Comment: PGP or S/MIME (X.509) encrypted email preferred. > > iQA/AwUBO6WBaZytSsEygtEFEQL+4ACgy9+gy/XCiCGNj9+uffQOuiwsKusAn3bF > Fwl8Lkco5Mwsh9UJWA5UXjCY > =FT0J > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------ > ---------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > _____________________________________________________________________ INTERNET MAIL FOOTER A presente mensagem pode conter informação considerada confidencial. Se o receptor desta mensagem não for o destinatário indicado, fica expressamente proibido de copiar ou endereçar a mensagem a terceiros. Em tal situação, o receptor deverá destruir a presente mensagem e por gentileza informar o emissor de tal facto. --------------------------------------------------------------------- Privileged or confidential information may be contained in this message. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. --------------------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 17 2001 - 08:25:55 PDT