No subject


Thu Nov 23 16:34:03 EST 2017


I'm seeing alot of ICMP requests as well which Snort is alerting on as
Cyberkit 2.2 Windows. 

I set up a Linux machine on the Internet to answer to these pings with
netcat listening on ports 135 and 139 to see if anything would hit it then.
Most pings were followed up by a connect to port 135.  Ethereal reports part
of the connection to 135 as DCERPC protocol.  Looks like another worm.  The
Handlers Diary is pointing to the Nachi worm
(http://vil.nai.com/vil/content/v_100559.htm) as the cause.

Of all the ICMPs that I have captured, they have all had a TTL from 109-122
and a length of 92. 
---End---


HTH,
Matt

-----Original Message-----
From: David Stubblefield [mailto:dstubblefield at ...1781...] 
Sent: Monday, August 18, 2003 11:37 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Strange CyberKit alert activity

Anyone seeing strange ICMP PING CyberKit alert activity today.  Starting
about 6:00 AM this morning we started getting a large number (6000 + during
the past hour) of these alerts from various source IP's to various
destination IP's.  

Here a snip from the attack summary - basically the summary continued
through the 207.172.X.X into the 207.173.X.X and this appears to be growing
as I just checked and am seeing new alerts from the 207.175.X.X address
space for this client.  I am also seeing these alerts on another clients
network on a much broader distribution of single alerts.  

Source IP # of Alerts (sig) # of Alerts (Total) # of Destinations
Destinations
207.172.111.150 63 63 61 			Destination IP # of Alerts
(sig) # of Alerts (Total) # of Sources 
207.172.125.107 63 63 61 			10.3.1.165 71 71 64 
207.172.125.150 63 63 61 			10.3.1.38 69 69 62 
207.172.136.155 63 63 61 			10.3.10.103 70 70 62 
207.172.137.12 63 63 61 			10.3.10.132 70 70 63 
207.172.138.4 46 46 46 				10.3.10.199 68 68 61 
207.172.143.66 63 63 61 			10.3.10.245 70 70 63 


[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3] 
08/18-09:22:26.226017 0:2:B3:62:3A:F3 -> 0:0:C:7:AC:1 type:0x800 len:0x6A
207.173.164.215 -> 10.3.3.200 ICMP TTL:123 TOS:0x0 ID:23573 IpLen:20
DgmLen:92
Type:8  Code:0  ID:512   Seq:35162  ECHO
[Xref =>  arachnids 154]

Regards,
David Stubblefield
RagingNet
1-866-RAGENOC
901 Sneath Lane, Suite 210
San Bruno, CA. 94066



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list