[Snort-users] ICMP PING NMAP to 149.1.1.1

Kenneth G. Arnold bkarnold at ...8060...
Sat Apr 5 15:19:01 EST 2003


Within the last week I have noticed very strange activity for ICMP PING
NMAP.  It started with one user and now it has spread to several more. It
has so far been restricted to users connecting through dial-in access to a
modem pool.  Shortly after the user connects, the machine starts sending
ICMP PING NMAP to internet address 149.1.1.1 at the rate of 2 pings every
2-3 seconds. That comes out to about 3000 per hour. I have seen totals go
as high as 17,000 per day from one source when it is connected.  The only
reason it stops is that the person finally disconnects.

I searched the internet for an explanation for this and the only thing I
could find was that some freeware/shareware has code from timesink.com
built into it that sends pings to this address and tcp data to other
locations within its domain.  Timesink.com makes spyware that sends
information about the user's activity to the company through the tcp
sessions.  I have set up a rule to check for any activity from our domain
to timesink.com and all I see is the ICMP PING NMAP activity.  It seems
unlikley that a company would have a product send it information at the
rate that I am seeing.  I would expect to see tcp sessions also and I
don't see any.  I have searched Symantec's site looking for a virus that
would cause this but found nothing.  Could this be a disgruntled person
who is distributing a program that performs a distributed denial of
service attack against timesink.com? I have tried pinging 149.1.1.1 myself
and it doesn't appear to be answering pings.

Has anyone else encountered this situation in your logs? Does anyone know
what is going on?

Ken







More information about the Snort-users mailing list