On Wed, 31 Oct 2001, Mike Gilles wrote: > For any data to actually be transferred the packets would have to move up > the OSI model. (e.g. start a TCP session) So, in short, no I wouldn't be > overly concerned with this traffic. *sigh* I'm afraid you have just fallen victim to one of the most common problems within the security community, underestimating the enemy. Anything is possible. http://www.phrack.org/show.php?p=51&a=6 > -----Original Message----- > From: faial@rio-de-janeiro.sns.slb.com > > Today morning I start receiving a lot of ICMP packets from a host, > apparently in China (if the source address was not spoffed). The first > packet was: > > [2001-10-31 11:52:25] ICMP Destination Unreachable (Port Unreachable) > IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX > hlen=5 TOS=192 dlen=56 ID=37607 flags=0 offset=0 TTL=235 chksum=27228 > ICMP: type=Destination Unreachable code=Port Unreachable > checksum=39472 id= seq= > Payload: length = 32 > 000 : 00 00 00 00 45 00 00 4E F2 FE 00 00 68 11 8D DF ....E..N....h... > 010 : A3 BA 23 3C CB C1 3F 09 00 89 00 89 00 3A 61 80 ..#<..?......:a. > > following thousands of packets like this: > > [2001-10-31 12:42:10] ICMP Time-To-Live Exceeded in Transit > IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX > hlen=5 TOS=192 dlen=56 ID=49325 flags=0 offset=0 TTL=235 chksum=15510 > ICMP: type=Time Exceeded code=0 > checksum=48251 id= seq= > Payload: length = 32 > 000 : 00 00 00 00 45 00 00 74 4A A4 00 00 01 11 9D 13 ....E..tJ....... > 010 : A3 BA 23 3C CB C1 3F 0A 01 03 01 03 00 60 36 1E ..#<..?......`6. > > I know that this can be just legitimate ICMP traffic, but I have a bad > felling about this activity. I am sure that the target machine never tried > to connect to or to send any kind of packet to the 203.193.63.9 machine, so > ICMP Time-To-Live would not be expected. They are "unsolicited" packets. > > My question is "Can a hacker forge an ICMP packet to bypass the firewall > and use its payload (payload data is different for each packet received) to > send data to a trojan (listening for ICMP traffic on the target machine)? " ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 31 2001 - 11:06:27 PST