[Snort-sigs] Strange CyberKit alert activity

Keith T. Morgan keith.morgan at ...950...
Mon Aug 18 12:16:13 EDT 2003


We've seen several hundred of these, starting at 1PM EDT today.  They're doing sequential ICMP scans of entire netblocks.

Sources have tended to come from our class B -1.  Eg: if x.99.x.x is our netblock, most of the sources (actually, all except one) have been x.98.x.x.  The other came from a uunet block on an entirely different class A.

We're not seeing anything other than the ICMP from these hosts.

We're researching other sensor and firewall data to check for correlating events from these IPs.

> -----Original Message-----
> From: Gavin Lowe [mailto:gavin at ...1783...]
> Sent: Monday, August 18, 2003 1:26 PM
> To: 'David Stubblefield'; snort-sigs at lists.sourceforge.net
> Subject: RE: [Snort-sigs] Strange CyberKit alert activity
> 
> 
> I've been seeing them (but only about 150 so far).  They started here
> just after 11PM MDT Sunday August 17 th - sporadic at first, but now
> fairly consistent (40/hour).
> 
> 08/17-23:16:39.527193  [**] [1:483:2] ICMP PING CyberKit 2.2 Windows
> [**] [Classification: Misc activity] [Priority: 3] {ICMP} 
> 66.82.92.23 ->
> xxx.xxx.xxx.xxx
> 
> 08/18-00:58:47.790859  [**] [1:483:2] ICMP PING CyberKit 2.2 Windows
> [**] [Classification: Misc activity] [Priority: 3] {ICMP} 
> 66.82.92.23 ->
> xxx.xxx.xxx.xxx
> 
> Gavin Lowe
> Programmer / Network Administrator
> glowe at ...1783...
> 
> 
> 
> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of David
> Stubblefield
> Sent: Monday, August 18, 2003 10:37 AM
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] Strange CyberKit alert activity
> 
> Anyone seeing strange ICMP PING CyberKit alert activity 
> today.  Starting
> about 6:00 AM this morning we started getting a large number (6000 +
> during the past hour) of these alerts from various source IP's to
> various destination IP's.  
> 
> Here a snip from the attack summary - basically the summary continued
> through the 207.172.X.X into the 207.173.X.X and this appears to be
> growing as I just checked and am seeing new alerts from the 
> 207.175.X.X
> address space for this client.  I am also seeing these alerts 
> on another
> clients network on a much broader distribution of single alerts.  
> 
> Source IP # of Alerts (sig) # of Alerts (Total) # of Destinations
> Destinations
> 207.172.111.150 63 63 61 			Destination IP # of
> Alerts (sig) # of Alerts (Total) # of Sources 
> 207.172.125.107 63 63 61 			10.3.1.165 71 71 64 
> 207.172.125.150 63 63 61 			10.3.1.38 69 69 62 
> 207.172.136.155 63 63 61 			10.3.10.103 70 70 62 
> 207.172.137.12 63 63 61 			10.3.10.132 70 70 63 
> 207.172.138.4 46 46 46 				
> 10.3.10.199 68 68 61 
> 207.172.143.66 63 63 61 			10.3.10.245 70 70 63 
> 
> 
> [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
> [Classification: Misc activity] [Priority: 3] 
> 08/18-09:22:26.226017 0:2:B3:62:3A:F3 -> 0:0:C:7:AC:1 type:0x800
> len:0x6A
> 207.173.164.215 -> 10.3.3.200 ICMP TTL:123 TOS:0x0 ID:23573 IpLen:20
> DgmLen:92
> Type:8  Code:0  ID:512   Seq:35162  ECHO
> [Xref =>  arachnids 154]
> 
> Regards,
> David Stubblefield
> RagingNet
> 1-866-RAGENOC
> 901 Sneath Lane, Suite 210
> San Bruno, CA. 94066
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
> http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet
_072303_01
/01
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or  the 
sender immediately and do not disclose the contents to anyone or make copies.

** this message has been scanned for viruses, vandals and malicious content **
**************************************************************************************************





More information about the Snort-sigs mailing list