Simultanious ping from lots of different hosts.

From: Johannes Verelst (johannesat_private)
Date: Mon Oct 29 2001 - 06:55:40 PST

  • Next message: John Brahy: "rpc.statd buffer overflow attempt?"

    Hi,
    
    Today, my icmplogd showed that I was being pinged from a lot of different
    hosts. I got curious, because this is quite unusual on my machine, so I
    started a little investigation.
    
    First of all, the IP's ping all within the same second (syslog can't
    measure more accurate than that). There are several 'sweeps', ranging from
    4 to 6 icmp_echo's. These sweeps started around one month ago, but with
    very low intensity. During the month intensity went up.
    
    I took one of the IP's and looked up the owner of the netblock. Pasting
    this into google gave a very interesting thread on the Snort-users
    mailinglist:
    http://archives.neohapsis.com/archives/snort/2000-11/0366.html. The most
    interesting part: this happened exactly 11 months ago, 28 november 2000.
    The list of hosts mentioned is partly the same as the IP's that I see,
    more specific:
    
    208.185.54.14
    204.176.88.5
    207.235.98.194
    
    I have ICMP-fingerprinted the hosts with the utility xprobe, all of them
    gave the following OS fingerprint:
    Linux 2.2.x/2.4.5+ kernel
    
    exept for two ips:
    204.176.88.5, h-213.61.6.2.host.de.colt.net
    
    These IP's give the following fingerprint:
    FINAL:[ 3Com SuperStack II Switch SWNBBSI-CF,11.1.0.00S38
    Nokia IPSO 3.2-2.3.1 releng 783-849
    Ricoh Aficio AP4500 Network Laster Printer
    Linux 2.0.x/2.2.x/2.4.x
    Shiva AccessPort Bridge/Router Software V.2.1.0 ]
    
    Those IP's also have port 80 open. A small HEAD gives:
    HTTP/1.0 200 OK
    Date: Mon, 29 Oct 2001 14:52:48 GMT
    Server: swcd/4.0.0003
    Connection: close
    
    So, does anybody know what this is? The strange thing is that almost a
    year ago (exactly 11 months) somebody got exactly the same 'probes'.
    Strangely enough, no tcp connections are made (i usually have udp logging
    disabled because there's a _lot_ of UDP traffic. I enabled it now to see
    if anything is happening). If anybody has any suggestions of how to be
    more paranoid, please let me know.
    
    Kind regards,
    
    Johannes Verelst
    --
    Unix is simple. It just takes a genius to understand its simplicity
    Make it idiot proof, and someone will make a better idiot.
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Oct 29 2001 - 08:31:30 PST