-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have seen those packets, except the DF and MF flags were both set and BTW you can recreate those packets by using Microsoft ping with the following command: ping -l 1500 (or what ever size you see). Just my .02 worth Toby The third type of traffic from the attacking machine consisted of very large ICMP echo-request packets, all going to the same destination IP address. The ICMP packet contents consisted entirely of the lowercase letters 'a' through 'w' repeated many times, e.g., abcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvw... Anyway, this may mean that some type of WebDAV data-gathering or exploit capability has been incorporated into a software package that also compromises machines via SMB. There wasn't direct evidence that the software package was associated with planned exploitation of the CA-2003-09 vulnerability via WebDAV, although it may have been. The ICMP traffic suggests that the software package may have a DoS capability that's separate from the SMB and WebDAV traffic. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPoj3YVLhpjRJgUE5EQLAJACfeAG7zMsVfq0rzMVYLm6nRxAwpCMAoLt+ CoWYIbl8nDx7HkbZcYzC7O+q =1Pey -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
This archive was generated by hypermail 2b30 : Tue Apr 01 2003 - 16:36:42 PST