I have come across this before as well. This is not unusual traffic for a Win2k environment. It's a windows client doing a speed test of its network connection to determine if a group policy should be applied or a roaming profile downloaded. I saw these large ICMP packets containing that JPEG mostly from dial-up users who have slower connections, and always three in a row. The JPEG, if you haven't already looked at it, is a picture of the word "Microsoft" and it's incomplete. For information on this, check Microsoft knowledgebase article 227260 (http://support.microsoft.com/?id=227260). - Jonathan > > >Our IDS has been reporting some large ICMP packets on >our internal network. Our internal network is a >Windows2000 domain -- servers and clients. > >- Packet size is always 2090 bytes >- Almost always sent from a client or member server to >one of the two boxes running Active Directory >- The ping payload itself is actually a JPEG of the >Microsoft logo. This JPEG can actually be found inside >userenv.dll. > >I googled for any details, and I see that others have >run into this before. However, there were no answers, >just questions. See these two links for identical >packets: > >http://archives.neohapsis.com/archives/linux/debian/2002-q4/0658.html > >http://cert.uni-stuttgart.de/archive/debian/security/2002/11/msg00222.html > > >Anyone else seen these? Any idea what's causing them? >Is this 'normal' behavior on a W2K network? > >Other than the fact that they are relatively large >ICMP packets, they don't appear to be malicious in any >way. There is no other malicious traffic seen on our >network. > >TIA. > >-TedK > >__________________________________ >Do you Yahoo!? >Yahoo! Calendar - Free online calendar with sync to Outlook(TM). >http://calendar.yahoo.com > >---------------------------------------------------------------------------- >---------------------------------------------------------------------------- > > ><< smime.p7s >> _________________________________________________________________ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jun 10 2003 - 13:01:14 PDT