[Snort-sigs] Strange CyberKit alert activity

Gavin Lowe gavin at ...1783...
Mon Aug 18 10:27:11 EDT 2003


I've been seeing them (but only about 150 so far).  They started here
just after 11PM MDT Sunday August 17 th - sporadic at first, but now
fairly consistent (40/hour).

08/17-23:16:39.527193  [**] [1:483:2] ICMP PING CyberKit 2.2 Windows
[**] [Classification: Misc activity] [Priority: 3] {ICMP} 66.82.92.23 ->
xxx.xxx.xxx.xxx

08/18-00:58:47.790859  [**] [1:483:2] ICMP PING CyberKit 2.2 Windows
[**] [Classification: Misc activity] [Priority: 3] {ICMP} 66.82.92.23 ->
xxx.xxx.xxx.xxx

Gavin Lowe
Programmer / Network Administrator
glowe at ...1783...



-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of David
Stubblefield
Sent: Monday, August 18, 2003 10:37 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Strange CyberKit alert activity

Anyone seeing strange ICMP PING CyberKit alert activity today.  Starting
about 6:00 AM this morning we started getting a large number (6000 +
during the past hour) of these alerts from various source IP's to
various destination IP's.  

Here a snip from the attack summary - basically the summary continued
through the 207.172.X.X into the 207.173.X.X and this appears to be
growing as I just checked and am seeing new alerts from the 207.175.X.X
address space for this client.  I am also seeing these alerts on another
clients network on a much broader distribution of single alerts.  

Source IP # of Alerts (sig) # of Alerts (Total) # of Destinations
Destinations
207.172.111.150 63 63 61 			Destination IP # of
Alerts (sig) # of Alerts (Total) # of Sources 
207.172.125.107 63 63 61 			10.3.1.165 71 71 64 
207.172.125.150 63 63 61 			10.3.1.38 69 69 62 
207.172.136.155 63 63 61 			10.3.10.103 70 70 62 
207.172.137.12 63 63 61 			10.3.10.132 70 70 63 
207.172.138.4 46 46 46 				10.3.10.199 68 68 61 
207.172.143.66 63 63 61 			10.3.10.245 70 70 63 


[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3] 
08/18-09:22:26.226017 0:2:B3:62:3A:F3 -> 0:0:C:7:AC:1 type:0x800
len:0x6A
207.173.164.215 -> 10.3.3.200 ICMP TTL:123 TOS:0x0 ID:23573 IpLen:20
DgmLen:92
Type:8  Code:0  ID:512   Seq:35162  ECHO
[Xref =>  arachnids 154]

Regards,
David Stubblefield
RagingNet
1-866-RAGENOC
901 Sneath Lane, Suite 210
San Bruno, CA. 94066



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01
/01
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list