Re: Odd windows ICMP... any ideas what this is?

From: Ryan Yagatich (ryanyat_private)
Date: Mon Jun 09 2003 - 10:39:26 PDT

Next message: Jason Falciola: "Re: Hmm....901"

Previous message: Greg A. Woods: "RE: strange traffic on UDP port 53"
In reply to: ted klugman: "Odd windows ICMP... any ideas what this is?"
Next in thread: Raistlin: "Re: Odd windows ICMP... any ideas what this is?"
Next in thread: Mika Boström: "Re: Odd windows ICMP... any ideas what this is?"
Reply: Raistlin: "Re: Odd windows ICMP... any ideas what this is?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

	Although it may not be directly related, wasn't there some chat
server written some time ago that distributed its text through icmp?
	If so, Could this be a deviation of this maybe testing the
destination to see if it can accept such packets so that it could transmit
other data?


Thanks,
Ryan Yagatich

,_____________________________________________________,
\ Ryan Yagatich                     supportat_private \
/ Pantek Incorporated                  (877) LINUX-FIX /
\ http://www.pantek.com/security        (440) 519-1802 \
/       Are your networks secure? Are you certain?     /
\___E48BF0689E4F349D237D621CEAAD45E3C313A99DBB8BA16F___\

On Mon, 9 Jun 2003, ted klugman wrote:

>Our IDS has been reporting some large ICMP packets on
>our internal network. Our internal network is a
>Windows2000 domain -- servers and clients.
>
>- Packet size is always 2090 bytes
>- Almost always sent from a client or member server to
>one of the two boxes running Active Directory
>- The ping payload itself is actually a JPEG of the
>Microsoft logo. This JPEG can actually be found inside
>userenv.dll.
>
>I googled for any details, and I see that others have
>run into this before. However, there were no answers,
>just questions. See these two links for identical
>packets:
>
>http://archives.neohapsis.com/archives/linux/debian/2002-q4/0658.html
>
>http://cert.uni-stuttgart.de/archive/debian/security/2002/11/msg00222.html
>
>
>Anyone else seen these? Any idea what's causing them?
>Is this 'normal' behavior on a W2K network?
>
>Other than the fact that they are relatively large
>ICMP packets, they don't appear to be malicious in any
>way. There is no other malicious traffic seen on our
>network.
>
>TIA.
>
>-TedK
>
>__________________________________
>Do you Yahoo!?
>Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
>http://calendar.yahoo.com
>
>----------------------------------------------------------------------------
>----------------------------------------------------------------------------
>


----------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Jason Falciola: "Re: Hmm....901"
Previous message: Greg A. Woods: "RE: strange traffic on UDP port 53"
In reply to: ted klugman: "Odd windows ICMP... any ideas what this is?"
Next in thread: Raistlin: "Re: Odd windows ICMP... any ideas what this is?"
Next in thread: Mika Boström: "Re: Odd windows ICMP... any ideas what this is?"
Reply: Raistlin: "Re: Odd windows ICMP... any ideas what this is?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 10 2003 - 13:15:27 PDT