Take a look at this. Haven't tested this myself though: http://www.wfu.edu/~stein/work/icmp.html > -----Original Message----- > From: ted klugman [mailto:tedklugmanat_private] > Sent: Monday, June 09, 2003 12:05 PM > To: incidentsat_private > Subject: Odd windows ICMP... any ideas what this is? > > Our IDS has been reporting some large ICMP packets on > our internal network. Our internal network is a > Windows2000 domain -- servers and clients. > > - Packet size is always 2090 bytes > - Almost always sent from a client or member server to > one of the two boxes running Active Directory > - The ping payload itself is actually a JPEG of the > Microsoft logo. This JPEG can actually be found inside > userenv.dll. > > I googled for any details, and I see that others have > run into this before. However, there were no answers, > just questions. See these two links for identical > packets: > > http://archives.neohapsis.com/archives/linux/debian/2002-q4/0658.html > > http://cert.uni-stuttgart.de/archive/debian/security/2002/11/msg00222.ht ml > > > Anyone else seen these? Any idea what's causing them? > Is this 'normal' behavior on a W2K network? > > Other than the fact that they are relatively large > ICMP packets, they don't appear to be malicious in any > way. There is no other malicious traffic seen on our > network. > > TIA. > > -TedK > > __________________________________ > Do you Yahoo!? > Yahoo! Calendar - Free online calendar with sync to Outlook(TM). > http://calendar.yahoo.com > > ------------------------------------------------------------------------ -- > -- > ------------------------------------------------------------------------ -- > -- ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jun 10 2003 - 14:06:56 PDT