Simultanious ping from lots of different hosts.

From: Johannes Verelst (johannesat_private)
Date: Mon Oct 29 2001 - 06:55:40 PST

  • Next message: John Brahy: "rpc.statd buffer overflow attempt?"

    Today, my icmplogd showed that I was being pinged from a lot of different
    hosts. I got curious, because this is quite unusual on my machine, so I
    started a little investigation.
    First of all, the IP's ping all within the same second (syslog can't
    measure more accurate than that). There are several 'sweeps', ranging from
    4 to 6 icmp_echo's. These sweeps started around one month ago, but with
    very low intensity. During the month intensity went up.
    I took one of the IP's and looked up the owner of the netblock. Pasting
    this into google gave a very interesting thread on the Snort-users
    mailinglist: The most
    interesting part: this happened exactly 11 months ago, 28 november 2000.
    The list of hosts mentioned is partly the same as the IP's that I see,
    more specific:
    I have ICMP-fingerprinted the hosts with the utility xprobe, all of them
    gave the following OS fingerprint:
    Linux 2.2.x/2.4.5+ kernel
    exept for two ips:,
    These IP's give the following fingerprint:
    FINAL:[ 3Com SuperStack II Switch SWNBBSI-CF,
    Nokia IPSO 3.2-2.3.1 releng 783-849
    Ricoh Aficio AP4500 Network Laster Printer
    Linux 2.0.x/2.2.x/2.4.x
    Shiva AccessPort Bridge/Router Software V.2.1.0 ]
    Those IP's also have port 80 open. A small HEAD gives:
    HTTP/1.0 200 OK
    Date: Mon, 29 Oct 2001 14:52:48 GMT
    Server: swcd/4.0.0003
    Connection: close
    So, does anybody know what this is? The strange thing is that almost a
    year ago (exactly 11 months) somebody got exactly the same 'probes'.
    Strangely enough, no tcp connections are made (i usually have udp logging
    disabled because there's a _lot_ of UDP traffic. I enabled it now to see
    if anything is happening). If anybody has any suggestions of how to be
    more paranoid, please let me know.
    Kind regards,
    Johannes Verelst
    Unix is simple. It just takes a genius to understand its simplicity
    Make it idiot proof, and someone will make a better idiot.
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Mon Oct 29 2001 - 08:31:30 PST