[Snort-sigs] Strange CyberKit alert activity

Bryan Irvine bryan.irvine at ...1441...
Mon Aug 18 10:58:13 EDT 2003


Yikes! I decided to check mine out as I haven't gotten a chance yet, and
sure enough. I had somone sweep my network on the 14th, and again on the
16th and starting at 11pm  last night I've gotten 5000 since then.  
/YIKES!

--Bryan

On Mon, 2003-08-18 at 10:19, Pacheco, Michael F. wrote:
> I'm getting the same thing starting this morning EST - but my source ranges
> are all over the place. 64.x.x.x, 63.x.x.x, 202.x.x.x. etc... It looks like
> somebody is setting up reflectors all over the place?
> 
> ---
> [2003-08-18 12:43:31] [arachnids/154] [snort/483]  ICMP PING CyberKit 2.2
> Windows
> IPv4: 200.148.70.78 -> xxx.xxx.xxx.xxx
>       hlen=5 TOS=0 dlen=92 ID=13549 flags=0 offset=0 TTL=109 chksum=37144
> ICMP: type=Echo Request code=0
>       checksum=16792 id= seq=
> Payload:  length = 64
> 
> 000 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
> 010 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
> 020 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
> 030 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
> 
> ----
> 
> Anybody else seeing this?  Anything on dshield or the other distributed
> sites? Drop me a line if you want more data or anything else on this issue -
> its got me very curious.
> 
> Mike 
> 
> Michael F. Pacheco
> Network Analyst
> Elcom International
> mpacheco at ...1784...
> 
> 
> -----Original Message-----
> From: David Stubblefield [mailto:dstubblefield at ...1781...] 
> Sent: Monday, August 18, 2003 12:37 PM
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] Strange CyberKit alert activity
> 
> Anyone seeing strange ICMP PING CyberKit alert activity today.  Starting
> about 6:00 AM this morning we started getting a large number (6000 + during
> the past hour) of these alerts from various source IP's to various
> destination IP's.  
> 
> Here a snip from the attack summary - basically the summary continued
> through the 207.172.X.X into the 207.173.X.X and this appears to be growing
> as I just checked and am seeing new alerts from the 207.175.X.X address
> space for this client.  I am also seeing these alerts on another clients
> network on a much broader distribution of single alerts.  
> 
> Source IP # of Alerts (sig) # of Alerts (Total) # of Destinations
> Destinations
> 207.172.111.150 63 63 61 			Destination IP # of Alerts
> (sig) # of Alerts (Total) # of Sources 
> 207.172.125.107 63 63 61 			10.3.1.165 71 71 64 
> 207.172.125.150 63 63 61 			10.3.1.38 69 69 62 
> 207.172.136.155 63 63 61 			10.3.10.103 70 70 62 
> 207.172.137.12 63 63 61 			10.3.10.132 70 70 63 
> 207.172.138.4 46 46 46 				10.3.10.199 68 68 61 
> 207.172.143.66 63 63 61 			10.3.10.245 70 70 63 
> 
> 
> [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
> [Classification: Misc activity] [Priority: 3] 
> 08/18-09:22:26.226017 0:2:B3:62:3A:F3 -> 0:0:C:7:AC:1 type:0x800 len:0x6A
> 207.173.164.215 -> 10.3.3.200 ICMP TTL:123 TOS:0x0 ID:23573 IpLen:20
> DgmLen:92
> Type:8  Code:0  ID:512   Seq:35162  ECHO
> [Xref =>  arachnids 154]
> 
> Regards,
> David Stubblefield
> RagingNet
> 1-866-RAGENOC
> 901 Sneath Lane, Suite 210
> San Bruno, CA. 94066
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
> http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
> http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 





More information about the Snort-sigs mailing list