[Snort-users] (new?) worm or bot signature - echo request

Stephane Nasdrovisky stephane.nasdrovisky at ...4735...
Thu Jan 31 10:49:13 EST 2002


I received a strange icmp packet. The payload contains
SERVER Offered         | Offering: 192.168.0.31  To: 0030651278CF  By:19

(0030651278CF=207854139599=3014504474317(oct)=0.48.101.18.120.207  which
doesn't mean anything for me)

A search on google gave me no good result, the only potentially usefull
link is:
http://www.wi2600.org/mediawhore/nf0/wireless/dumps/madison-minakwa-and-briar-hill/Data/Briar%20Hill%20International.libpcap

[**] IDS171/icmp_ping zeros [**]
01/31-15:07:15.772291  type:0x800 len:0x86
213.221.141.64 -> 195.72.91.xxx ICMP TTL:233 TOS:0x0 ID:23287 IpLen:20
DgmLen:120 DF
Type:8  Code:0  ID:1376   Seq:23296  ECHO
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 20 53 45 52 56 45 52 20 4F 66 66 65 72 65  .. SERVER Offere
64 20 20 20 20 20 20 20 20 20 7C 20 4F 66 66 65  d         | Offe
72 69 6E 67 3A 20 31 39 32 2E 31 36 38 2E 30 2E  ring: 192.168.0.
33 31 20 20 54 6F 3A 20 30 30 33 30 36 35 31 32  31  To: 00306512
37 38 43 46 20 20 42 79 3A 20 31 39              78CF  By: 19

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] IDS171/icmp_ping zeros [**]
01/31-15:07:15.780343  type:0x800 len:0x86
213.221.141.64 -> 195.72.91.yyy ICMP TTL:234 TOS:0x0 ID:23288 IpLen:20
DgmLen:120 DF
Type:8  Code:0  ID:1376   Seq:23552  ECHO
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 20 53 45 52 56 45 52 20 4F 66 66 65 72 65  .. SERVER Offere
64 20 20 20 20 20 20 20 20 20 7C 20 4F 66 66 65  d         | Offe
72 69 6E 67 3A 20 31 39 32 2E 31 36 38 2E 30 2E  ring: 192.168.0.
33 31 20 20 54 6F 3A 20 30 30 33 30 36 35 31 32  31  To: 00306512
37 38 43 46 20 20 42 79 3A 20 31 39              78CF  By: 19

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

# whois -h whois.ripe.net 213.221.141.64
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum:      213.221.139.0 - 213.221.141.255
netname:      TVS2NET
descr:        tvs2net headend dransnet lancity
country:      CH
admin-c:      PAM49-RIPE
tech-c:       OC609-RIPE
rev-srv:      dns1.netplus.ch
notify:       noc at ...4817...
mnt-by:       AS15547-MNT
status:       ASSIGNED PA
changed:      pa.matthey at ...4817... 20011126
source:       RIPE

route:        213.221.128.0/19
descr:        Cablecom Holding AG
descr:        Zollstrasse42
descr:        CH-8021 Zuerich
descr:        SWITZERLAND
origin:       AS8404
holes:        213.221.158.0/24
notify:       lir-mnt at ...4818...
mnt-by:       AS8404-MNT
changed:      felix.giger at ...4818... 20010711
source:       RIPE

person:       Pierre-Alain Matthey
address:      TVS2NET
address:      Rue de l'industrie 43
address:      CH-1951 SION
address:      SWITZERLAND
phone:        +41273240469
fax-no:       +41273240412
e-mail:       pa.matthey at ...4817...
nic-hdl:      PAM49-RIPE
changed:      pa.matthey at ...4817... 20011008
source:       RIPE

person:       Olivier Crettenand
address:      Energie de Sion Region SA
address:      Rue de l'Industrie 43
address:      CH-1951 Sion
address:      Switzerland
phone:        + 41 27 324 0473
fax-no:       + 41 27 324 0412
e-mail:       olivier.crettenand at ...4817...
nic-hdl:      OC609-RIPE
notify:       hostmaster at ...4819...
changed:      hostmaster at ...4819... 20010517
source:       RIPE







More information about the Snort-users mailing list