Re: Should I be concerned about?

From: Jose Carlos Faial (faial@rio-de-janeiro.sns.slb.com)
Date: Thu Nov 01 2001 - 09:05:12 PST

Next message: NESTING, DAVID M (SBCSI): "RE: Strange kernel happenings"

Previous message: H C: "Posting to Incidents list, was: Re: Help with Nimda.E?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks to all.

         I found the problem source: CheckPoint software sending VPN data 
to a unreachable host. This time was just legitimate traffic.

Thanks to all again.



At 07:21 PM 10/31/2001 -0800, John Sage wrote:
>Jose:
>
>See:
>
>http://sys-security.com/archive/securityfocus/icmptools.html
>
>Ofir Arkin (who seems to hang out a lot on the snort list..) has quite a 
>bit to say about icmp usage for nefarious purposes.
>
>The description of his web site/business is:
>
>"Sys-Security.com is a web site dedicated to computer security research. 
>It is the home of the "ICMP Usage In Scanning" research project."
>
>
>Also, snort seems to offer more information about the original packet 
>payload; here's a sample from a thread ( 
>http://www.incidents.org/archives/intrusions/msg01716.html )
>that turned out to be an example of backscatter: forged "source" IP 
>addresses that were originating in a DoS against an ISP in India back in 
>September...
>
>
>>Sep 14 19:14:55 greatwall kernel: Packet log: input ACCEPT ppp0 PROTO=1
>>   208.51.243.18:3 12.82.133.214:1 L=56 S=0x00 I=0 F=0x0000 T=242 (#49)
>>09/14-19:14:55.316850 208.51.243.18 -> 12.82.133.214
>>ICMP TTL:242 TOS:0x0 ID:0 IpLen:20 DgmLen:56
>>Type:3  Code:1  DESTINATION UNREACHABLE: HOST UNREACHABLE
>>** ORIGINAL DATAGRAM DUMP:
>>12.82.133.214:38844 -> 202.46.194.5:16925
>>TCP TTL:233 TOS:0x8 ID:40770 IpLen:20 DgmLen:40
>>Seq: 0x81079A10  Ack: 0xB3444000
>>** END OF DUMP
>>00 00 00 00 45 08 00 28 9F 42 40 00 E9 06 D4 28  ....E..(.B@....(
>>0C 52 85 D6 CA 2E C2 05 97 BC 42 1D 81 07 9A 10  .R........B.....
>
>(hmm.. Actually this is both ipchains and snort.) The point here is that 
>the "ORIGINAL DATAGRAM DUMP" is forged. My firewall (allegedly at 
>"12.82.133.214") *never* sends out tcp packets on port 38844...
>
>Do you have any comparable detail for the packets you're seeing?
>
>- John
>
>
>
>Jose Carlos Faial wrote:
>
>>Hi all,
>>     Today morning I start receiving a lot of ICMP packets from a host, 
>> apparently in China (if the source address was not spoffed). The first 
>> packet was:
>>[2001-10-31 11:52:25]  ICMP Destination Unreachable (Port Unreachable)
>>IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX
>>hlen=5 TOS=192 dlen=56 ID=37607 flags=0 offset=0 TTL=235 chksum=27228
>>ICMP: type=Destination Unreachable code=Port Unreachable
>>checksum=39472 id= seq=
>>Payload:  length = 32
>>000 : 00 00 00 00 45 00 00 4E F2 FE 00 00 68 11 8D DF   ....E..N....h...
>>010 : A3 BA 23 3C CB C1 3F 09 00 89 00 89 00 3A 61 80   ..#&lt;..?......:a.
>>     following thousands of packets like this:
>>[2001-10-31 12:42:10]  ICMP Time-To-Live Exceeded in Transit
>>IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX
>>hlen=5 TOS=192 dlen=56 ID=49325 flags=0 offset=0 TTL=235 chksum=15510
>>ICMP: type=Time Exceeded code=0
>>checksum=48251 id= seq=
>>Payload:  length = 32
>>000 : 00 00 00 00 45 00 00 74 4A A4 00 00 01 11 9D 13   ....E..tJ.......
>>010 : A3 BA 23 3C CB C1 3F 0A 01 03 01 03 00 60 36 1E   ..#&lt;..?......`6.
>>I know that this can be just legitimate ICMP traffic, but I have a bad 
>>felling about this activity. I am sure that the target machine never 
>>tried to connect to or to send any kind of packet to the 203.193.63.9 
>>machine, so ICMP Time-To-Live would not be expected. They are 
>>"unsolicited" packets.
>>My question is "Can a hacker forge an ICMP packet to bypass the firewall 
>>and use its payload (payload data is different for each packet received) 
>>to send data to a trojan (listening for ICMP traffic on the target machine)? "
>>Thanks to all.
>>faial
>
>
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management and 
>tracking system please see: http://aris.securityfocus.com

José Carlos Faial
Engineer
Schlumberger Network Solutions
Rio de Janeiro - Brazil
http://www.slb.com/nws

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS d- s--:+ a? C+++$ UL+++ P++ L++++ E--- W++ N+ !o K- w--- O- M+ V PS+
!PE Y+ PGP++ t+@ 5+ X++ R tv- b+++ DI++++ D+++ G++ e++ h++ r++ y?
------END GEEK CODE BLOCK------

WARNING: This message was quadruple ROT13'ed for your protection.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: NESTING, DAVID M (SBCSI): "RE: Strange kernel happenings"
Previous message: H C: "Posting to Incidents list, was: Re: Help with Nimda.E?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 01 2001 - 09:33:20 PST