Winfreez DoS question

From: Glenn Pitcher (gpitcherat_private)
Date: Thu Apr 25 2002 - 12:24:49 PDT
Next message: Gregory Kane: "FTP Followup"
Previous message: george johnson: "Re: compromised cisco"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
We recently setup a snort server here on campus and last night it appears
that someone just outside our production firewall, probably on our student
computing network, launched a ICMP host redirect attack against an HP
OpenView system - most probably using Winfreez. However, the logs show the
attack coming from multiple addresses all on 10.13.0.0/16 cycling from
10.13.0.1 upwards using five unique IPs at a time. I just wanted to know if
anyone has ever seen anything similar to this so I know I'm not going crazy.

I'll include some of the log output but if anyone needs more info, drop me a
line.

TIA

Glenn Pitcher
System Administrator
University of San Diego
gpitcherat_private
(619) 260-7571

-------------------
04/25/2002 00:23:17.764138 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.1 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.1: icmp: echo request (ttl 126, id
38819, len 84) (ttl 128, id 63088, len 56)
04/25/2002 00:23:17.773256 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.4 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.4: icmp: echo request (ttl 126, id
39075, len 84) (ttl 128, id 63344, len 56)
04/25/2002 00:23:17.774036 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.4 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.4: icmp: echo request (ttl 126, id
39331, len 84) (ttl 128, id 63600, len 56)
04/25/2002 00:23:17.775040 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.4 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.4: icmp: echo request (ttl 126, id
39587, len 84) (ttl 128, id 63856, len 56)
04/25/2002 00:23:17.776053 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.5 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.5: icmp: echo request (ttl 126, id
39843, len 84) (ttl 128, id 64112, len 56)
04/25/2002 00:23:17.778631 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.1 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.1: icmp: echo request (ttl 124, id
38819, len 84) (ttl 128, id 64368, len 56)
04/25/2002 00:23:17.779633 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.6 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.6: icmp: echo request (ttl 126, id
40099, len 84) (ttl 128, id 64624, len 56)
04/25/2002 00:23:17.787865 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.4 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.4: icmp: echo request (ttl 124, id
39075, len 84) (ttl 128, id 64880, len 56)
04/25/2002 00:23:17.788629 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.4 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.4: icmp: echo request (ttl 124, id
39331, len 84) (ttl 128, id 65136, len 56)
04/25/2002 00:23:17.789626 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.4 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.4: icmp: echo request (ttl 124, id
39587, len 84) (ttl 128, id 65392, len 56)
04/25/2002 00:23:17.790622 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.5 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.5: icmp: echo request (ttl 124, id
39843, len 84) (ttl 128, id 113, len 56)
04/25/2002 00:23:17.793322 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.1 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.1: icmp: echo request (ttl 122, id
38819, len 84) (ttl 128, id 369, len 56)
04/25/2002 00:23:17.794318 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.6 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.6: icmp: echo request (ttl 124, id
40099, len 84) (ttl 128, id 625, len 56)
04/25/2002 00:23:17.802735 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.4 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.4: icmp: echo request (ttl 122, id
39075, len 84) (ttl 128, id 881, len 56)
04/25/2002 00:23:17.803511 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.4 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.4: icmp: echo request (ttl 122, id
39331, len 84) (ttl 128, id 1137, len 56)
04/25/2002 00:23:17.804505 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.4 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.4: icmp: echo request (ttl 122, id
39587, len 84) (ttl 128, id 1393, len 56)
04/25/2002 00:23:17.805501 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.5 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.5: icmp: echo request (ttl 122, id
39843, len 84) (ttl 128, id 1649, len 56)
04/25/2002 00:23:17.808560 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.1 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.1: icmp: echo request (ttl 120, id
38819, len 84) (ttl 128, id 1905, len 56)
04/25/2002 00:23:17.809555 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.6 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.6: icmp: echo request (ttl 122, id
40099, len 84) (ttl 128, id 2161, len 56)
04/25/2002 00:23:17.818663 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.4 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.4: icmp: echo request (ttl 120, id
39075, len 84) (ttl 128, id 2417, len 56)
04/25/2002 00:23:17.819439 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.4 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.4: icmp: echo request (ttl 120, id
39331, len 84) (ttl 128, id 2673, len 56)
04/25/2002 00:23:17.820433 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.4 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.4: icmp: echo request (ttl 120, id
39587, len 84) (ttl 128, id 2929, len 56)
04/25/2002 00:23:17.821427 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.5 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.5: icmp: echo request (ttl 120, id
39843, len 84) (ttl 128, id 3185, len 56)
04/25/2002 00:23:17.824148 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.1 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.1: icmp: echo request (ttl 118, id
38819, len 84) (ttl 128, id 3441, len 56)
04/25/2002 00:23:17.825144 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.6 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.6: icmp: echo request (ttl 120, id
40099, len 84) (ttl 128, id 3697, len 56)
04/25/2002 00:23:17.833361 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.4 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.4: icmp: echo request (ttl 118, id
39075, len 84) (ttl 128, id 3953, len 56)
04/25/2002 00:23:17.834134 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.4 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.4: icmp: echo request (ttl 118, id
39331, len 84) (ttl 128, id 4209, len 56)
04/25/2002 00:23:17.835134 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.4 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.4: icmp: echo request (ttl 118, id
39587, len 84) (ttl 128, id 4465, len 56)
04/25/2002 00:23:17.836129 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.5 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.5: icmp: echo request (ttl 118, id
39843, len 84) (ttl 128, id 4721, len 56)
04/25/2002 00:23:17.838748 0:60:8:a:69:c1 0:60:8:93:91:c8 ip 70:
xxx.xxx.173.2 > xxx.xxx.173.8: icmp: redirect 10.13.0.1 to host
xxx.xxx.173.1 for xxx.xxx.173.8 > 10.13.0.1: icmp: echo request (ttl 116, id
38819, len 84) (ttl 128, id 4977, len 56)


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Next message: Gregory Kane: "FTP Followup"
Previous message: george johnson: "Re: compromised cisco"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Thu Apr 25 2002 - 14:25:55 PDT