[Snort-users] Odd ICMP traffic (newbie alert)

Alec Waters alec.waters at ...645...
Mon Oct 16 07:31:31 EDT 2000


Hi,

I'm a bit new at this ID lark, and I was wondering if anyone would be
good enough to help me understand the following.

I've received (amongst many other things) a load of ICMP datagrams like
the following (where xxx.xxx.xxx.xxx is one of my hosts):

[**] PING-ICMP Destination Unreachable [**]
10/12-14:21:24.754539 207.88.240.101 -> xxx.xxx.xxx.xxx
ICMP TTL:247 TOS:0x0 ID:0
DESTINATION UNREACHABLE: HOST UNREACHABLE
00 00 00 00 45 00 00 28 BE A7 00 00 18 06 EE 28  ....E..(.......(
xx xx xx xx C2 99 E6 A2 12 53 21 D2 77 18 61 D6  .........S!.w.a.

As best I can make out this is telling me the following (please stop me
when I start talking rubbish (probably about now:))

- 207.88.240.101 is telling me that some traffic originating from my
host can't be delivered to its destination, because 207.88.240.101
doesn't know how to do it.
- Decoding the payload of the ICMP datagram, I can see that it was a TCP
segment that couldn't be delivered. This TCP segment was sent from my
host, and addressed to C2 99 E6 A2 (194.153.230.167 -> async7.eltop.ro).
The source port was 4691, and the destination port was 8658.

There are several other similar messages in my logs. I note the
following interesting things:

- The destination port in the TCP segment is always 8658.
- The source port in the TCP segment always has 0x53 as its second byte.
The first byte varies with no discernable pattern.
- The TCP acknowledgement number always has 0xD6 as its final byte.
- From my perspective, 207.88.240.101 is not on the route to
194.153.230.167. Indeed, they seem to be in opposite directions.

My host is a webserver, and consequently we have a filtering router set
up to only allow connections to port 80/TCP. This should have prevented
async7.eltop.ro from opening a TCP session to my port 4691, so (assuming
the filtering on the router hasn't been circumvented) it appears that my
host is trying to "talk out" to port 8658 of its own volition. Needless
to say, it has no business doing this at all.

Am I reading this right? Is it possible to see from this what could have
been going on? I'm worried that my host is riddled with miscellaneous
trojans and backdoors...

Thanks a lot!
--
Alec Waters
Dataline Software Ltd
Clarence House, 30-31 North Street, Brighton, BN1 1EB, UK

Tel: +44 (0)1273 324939
Fax: +44 (0)1273 205576
www: http://www.dataline.co.uk
wap: http://wap.dataline.co.uk





More information about the Snort-users mailing list