Strings of 'EEEE' in pings...

From: Peter Bates (Peter.Batesat_private)
Date: Fri Jan 25 2002 - 11:05:58 PST

Next message: Glenn Forbes Fleming Larratt: "Re: DDoS attack."

Previous message: Gary Baribault: "port 22224?? What the heck"
Next in thread: Chris Keladis: "Re: Strings of 'EEEE' in pings..."
Reply: Chris Keladis: "Re: Strings of 'EEEE' in pings..."
Reply: dlaumannat_private: "RE: Strings of 'EEEE' in pings..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello all...

I've searched on Google, and other than some short discussion
in the past, I've nothing to answer my question...

I saw some of this traffic today, watching a machine which had
made several failed attempts to connect to servers they shouldn't
(both machines are internal), and then seeing some SNMP traffic
to external hosts which I failed to capture...

What I saw was this: (snort -vde capture)

01/25-18:05:09.399334 8:0:20:9E:ED:B3 -> 0:10:F6:8E:A0:0 type:0x800
len:0x4A
(INTERNAL) -> (EXTERNAL) ICMP TTL:62 TOS:0x0 ID:43296 IpLen:20
DgmLen:60
Type:8  Code:0  ID:1   Seq:9  ECHO
45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/25-18:05:09.419335 0:10:F6:8E:A0:0 -> 8:0:20:9E:ED:B3 type:0x800
len:0x4A
(EXTERNAL) -> (INTERNAL) ICMP TTL:113 TOS:0x0 ID:44568 IpLen:20
DgmLen:60
Type:0  Code:0  ID:1  Seq:9  ECHO REPLY
45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Yes it's a ping echo/reply pair, but why the string of EE's?

I could recreate this slightly using 'ping -p 45 host' from another
system,
but it was still slightly different at the front...

Can anyone explain this, or what might be generating this traffic?

The internal host in question appears to be a Windows machine, but
we'll only be able to investigate properly after the weekend.



-------------------------------------------------------------------------------------------------------------------->
Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-927 2124 / Fax: 0207- 636 9838 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Glenn Forbes Fleming Larratt: "Re: DDoS attack."
Previous message: Gary Baribault: "port 22224?? What the heck"
Next in thread: Chris Keladis: "Re: Strings of 'EEEE' in pings..."
Reply: Chris Keladis: "Re: Strings of 'EEEE' in pings..."
Reply: dlaumannat_private: "RE: Strings of 'EEEE' in pings..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 11:16:37 PST