Hi, Today, my icmplogd showed that I was being pinged from a lot of different hosts. I got curious, because this is quite unusual on my machine, so I started a little investigation. First of all, the IP's ping all within the same second (syslog can't measure more accurate than that). There are several 'sweeps', ranging from 4 to 6 icmp_echo's. These sweeps started around one month ago, but with very low intensity. During the month intensity went up. I took one of the IP's and looked up the owner of the netblock. Pasting this into google gave a very interesting thread on the Snort-users mailinglist: http://archives.neohapsis.com/archives/snort/2000-11/0366.html. The most interesting part: this happened exactly 11 months ago, 28 november 2000. The list of hosts mentioned is partly the same as the IP's that I see, more specific: 208.185.54.14 204.176.88.5 207.235.98.194 I have ICMP-fingerprinted the hosts with the utility xprobe, all of them gave the following OS fingerprint: Linux 2.2.x/2.4.5+ kernel exept for two ips: 204.176.88.5, h-213.61.6.2.host.de.colt.net These IP's give the following fingerprint: FINAL:[ 3Com SuperStack II Switch SWNBBSI-CF,11.1.0.00S38 Nokia IPSO 3.2-2.3.1 releng 783-849 Ricoh Aficio AP4500 Network Laster Printer Linux 2.0.x/2.2.x/2.4.x Shiva AccessPort Bridge/Router Software V.2.1.0 ] Those IP's also have port 80 open. A small HEAD gives: HTTP/1.0 200 OK Date: Mon, 29 Oct 2001 14:52:48 GMT Server: swcd/4.0.0003 Connection: close So, does anybody know what this is? The strange thing is that almost a year ago (exactly 11 months) somebody got exactly the same 'probes'. Strangely enough, no tcp connections are made (i usually have udp logging disabled because there's a _lot_ of UDP traffic. I enabled it now to see if anything is happening). If anybody has any suggestions of how to be more paranoid, please let me know. Kind regards, Johannes Verelst -- Unix is simple. It just takes a genius to understand its simplicity Make it idiot proof, and someone will make a better idiot. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Oct 29 2001 - 08:31:30 PST