Our IDS has been reporting some large ICMP packets on our internal network. Our internal network is a Windows2000 domain -- servers and clients. - Packet size is always 2090 bytes - Almost always sent from a client or member server to one of the two boxes running Active Directory - The ping payload itself is actually a JPEG of the Microsoft logo. This JPEG can actually be found inside userenv.dll. I googled for any details, and I see that others have run into this before. However, there were no answers, just questions. See these two links for identical packets: http://archives.neohapsis.com/archives/linux/debian/2002-q4/0658.html http://cert.uni-stuttgart.de/archive/debian/security/2002/11/msg00222.html Anyone else seen these? Any idea what's causing them? Is this 'normal' behavior on a W2K network? Other than the fact that they are relatively large ICMP packets, they don't appear to be malicious in any way. There is no other malicious traffic seen on our network. TIA. -TedK __________________________________ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jun 09 2003 - 10:22:38 PDT