No subject

Thu Nov 23 16:34:03 EST 2017

I'm seeing alot of ICMP requests as well which Snort is alerting on as
Cyberkit 2.2 Windows. 

I set up a Linux machine on the Internet to answer to these pings with
netcat listening on ports 135 and 139 to see if anything would hit it then.
Most pings were followed up by a connect to port 135.  Ethereal reports part
of the connection to 135 as DCERPC protocol.  Looks like another worm.  The
Handlers Diary is pointing to the Nachi worm
( as the cause.

Of all the ICMPs that I have captured, they have all had a TTL from 109-122
and a length of 92. 


-----Original Message-----
From: David Stubblefield [mailto:dstubblefield at ...1781...] 
Sent: Monday, August 18, 2003 11:37 AM
To: snort-sigs at
Subject: [Snort-sigs] Strange CyberKit alert activity

Anyone seeing strange ICMP PING CyberKit alert activity today.  Starting
about 6:00 AM this morning we started getting a large number (6000 + during
the past hour) of these alerts from various source IP's to various
destination IP's.  

Here a snip from the attack summary - basically the summary continued
through the 207.172.X.X into the 207.173.X.X and this appears to be growing
as I just checked and am seeing new alerts from the 207.175.X.X address
space for this client.  I am also seeing these alerts on another clients
network on a much broader distribution of single alerts.  

Source IP # of Alerts (sig) # of Alerts (Total) # of Destinations
Destinations 63 63 61 			Destination IP # of Alerts
(sig) # of Alerts (Total) # of Sources 63 63 61 71 71 64 63 63 61 69 69 62 63 63 61 70 70 62 63 63 61 70 70 63 46 46 46 68 68 61 63 63 61 70 70 63 

[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3] 
08/18-09:22:26.226017 0:2:B3:62:3A:F3 -> 0:0:C:7:AC:1 type:0x800 len:0x6A -> ICMP TTL:123 TOS:0x0 ID:23573 IpLen:20
Type:8  Code:0  ID:512   Seq:35162  ECHO
[Xref =>  arachnids 154]

David Stubblefield
901 Sneath Lane, Suite 210
San Bruno, CA. 94066

This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.;at.aspnet_072303_01/01
Snort-sigs mailing list
Snort-sigs at

More information about the Snort-sigs mailing list