Simultanious ping from lots of different hosts.

From: Johannes Verelst (johannesat_private)
Date: Mon Oct 29 2001 - 06:55:40 PST

Next message: John Brahy: "rpc.statd buffer overflow attempt?"

Previous message: Mike Lewinski: "Re: Use of HEAD in web server scan"
Next in thread: Hubert BUT: "Re: Simultanious ping from lots of different hosts."
Reply: Hubert BUT: "Re: Simultanious ping from lots of different hosts."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Today, my icmplogd showed that I was being pinged from a lot of different
hosts. I got curious, because this is quite unusual on my machine, so I
started a little investigation.

First of all, the IP's ping all within the same second (syslog can't
measure more accurate than that). There are several 'sweeps', ranging from
4 to 6 icmp_echo's. These sweeps started around one month ago, but with
very low intensity. During the month intensity went up.

I took one of the IP's and looked up the owner of the netblock. Pasting
this into google gave a very interesting thread on the Snort-users
mailinglist:
http://archives.neohapsis.com/archives/snort/2000-11/0366.html. The most
interesting part: this happened exactly 11 months ago, 28 november 2000.
The list of hosts mentioned is partly the same as the IP's that I see,
more specific:

208.185.54.14
204.176.88.5
207.235.98.194

I have ICMP-fingerprinted the hosts with the utility xprobe, all of them
gave the following OS fingerprint:
Linux 2.2.x/2.4.5+ kernel

exept for two ips:
204.176.88.5, h-213.61.6.2.host.de.colt.net

These IP's give the following fingerprint:
FINAL:[ 3Com SuperStack II Switch SWNBBSI-CF,11.1.0.00S38
Nokia IPSO 3.2-2.3.1 releng 783-849
Ricoh Aficio AP4500 Network Laster Printer
Linux 2.0.x/2.2.x/2.4.x
Shiva AccessPort Bridge/Router Software V.2.1.0 ]

Those IP's also have port 80 open. A small HEAD gives:
HTTP/1.0 200 OK
Date: Mon, 29 Oct 2001 14:52:48 GMT
Server: swcd/4.0.0003
Connection: close

So, does anybody know what this is? The strange thing is that almost a
year ago (exactly 11 months) somebody got exactly the same 'probes'.
Strangely enough, no tcp connections are made (i usually have udp logging
disabled because there's a _lot_ of UDP traffic. I enabled it now to see
if anything is happening). If anybody has any suggestions of how to be
more paranoid, please let me know.

Kind regards,

Johannes Verelst
--
Unix is simple. It just takes a genius to understand its simplicity
Make it idiot proof, and someone will make a better idiot.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: John Brahy: "rpc.statd buffer overflow attempt?"
Previous message: Mike Lewinski: "Re: Use of HEAD in web server scan"
Next in thread: Hubert BUT: "Re: Simultanious ping from lots of different hosts."
Reply: Hubert BUT: "Re: Simultanious ping from lots of different hosts."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 29 2001 - 08:31:30 PST