Although it may not be directly related, wasn't there some chat server written some time ago that distributed its text through icmp? If so, Could this be a deviation of this maybe testing the destination to see if it can accept such packets so that it could transmit other data? Thanks, Ryan Yagatich ,_____________________________________________________, \ Ryan Yagatich supportat_private \ / Pantek Incorporated (877) LINUX-FIX / \ http://www.pantek.com/security (440) 519-1802 \ / Are your networks secure? Are you certain? / \___E48BF0689E4F349D237D621CEAAD45E3C313A99DBB8BA16F___\ On Mon, 9 Jun 2003, ted klugman wrote: >Our IDS has been reporting some large ICMP packets on >our internal network. Our internal network is a >Windows2000 domain -- servers and clients. > >- Packet size is always 2090 bytes >- Almost always sent from a client or member server to >one of the two boxes running Active Directory >- The ping payload itself is actually a JPEG of the >Microsoft logo. This JPEG can actually be found inside >userenv.dll. > >I googled for any details, and I see that others have >run into this before. However, there were no answers, >just questions. See these two links for identical >packets: > >http://archives.neohapsis.com/archives/linux/debian/2002-q4/0658.html > >http://cert.uni-stuttgart.de/archive/debian/security/2002/11/msg00222.html > > >Anyone else seen these? Any idea what's causing them? >Is this 'normal' behavior on a W2K network? > >Other than the fact that they are relatively large >ICMP packets, they don't appear to be malicious in any >way. There is no other malicious traffic seen on our >network. > >TIA. > >-TedK > >__________________________________ >Do you Yahoo!? >Yahoo! Calendar - Free online calendar with sync to Outlook(TM). >http://calendar.yahoo.com > >---------------------------------------------------------------------------- >---------------------------------------------------------------------------- > ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jun 10 2003 - 13:15:27 PDT