[Snort-users] ICMP PING NMAP to 188.8.131.52
Kenneth G. Arnold
bkarnold at ...8060...
Sat Apr 5 19:26:04 EST 2003
We don't have a timeout option that would log them out with no activity
for a certain period of time so there would be no reason to have such an
app for us. It is possible that they may have it installed for AOL and it
is always running. It seems excessive to ping twice every 2-3 seconds for
such an application, however. Every modem connection generates a separate
IP address but I have traced this to at least three different users.
PSI PSINET-B-1 (NET-149-1-0-0-1)
184.108.40.206 - 220.127.116.11
Schoffstall Associates SCHOFF-NB-149-001 (NET-149-1-0-0-2)
18.104.22.168 - 22.214.171.124
I can't verify the dns name of 126.96.36.199 through nslookup but I found a
reference somewhere else that 188.8.131.52 belongs to timesink.com which is
supposedly a division of PSI.
On Sat, 5 Apr 2003, Joe Hill wrote:
> On Sat, 5 Apr 2003 17:18:11 -0600 (CST)
> "Kenneth G. Arnold" <bkarnold at ...8060...> wrote:
> > Within the last week I have noticed very strange activity for ICMP
> > PING NMAP. It started with one user and now it has spread to several
> > more. It has so far been restricted to users connecting through
> > dial-in access to a modem pool. Shortly after the user connects, the
> > machine starts sending ICMP PING NMAP to internet address 184.108.40.206 at
> > the rate of 2 pings every 2-3 seconds. That comes out to about 3000
> > per hour. I have seen totals go as high as 17,000 per day from one
> > source when it is connected. The only reason it stops is that the
> > person finally disconnects.
> > I searched the internet for an explanation for this and the only thing
> > I could find was that some freeware/shareware has code from
> > timesink.com built into it that sends pings to this address and tcp
> > data to other locations within its domain. Timesink.com makes spyware
> > that sends information about the user's activity to the company
> > through the tcp sessions. I have set up a rule to check for any
> > activity from our domain to timesink.com and all I see is the ICMP
> > PING NMAP activity. It seems unlikley that a company would have a
> > product send it information at the rate that I am seeing. I would
> > expect to see tcp sessions also and I don't see any. I have searched
> > Symantec's site looking for a virus that would cause this but found
> > nothing. Could this be a disgruntled person who is distributing a
> > program that performs a distributed denial of service attack against
> > timesink.com? I have tried pinging 220.127.116.11 myself and it doesn't
> > appear to be answering pings.
> > Has anyone else encountered this situation in your logs? Does anyone
> > know what is going on?
> could it be some form of "keepalive" app that the users are using, to
> keep their connection from timing out? One question, if more than one
> user is connected to the modem pool, are the probes *all* coming from
> the same IP?!
> Got this with dig:
> ; <<>> DiG 9.2.1 <<>> 18.104.22.168
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26439
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;22.214.171.124. IN A
> ;; AUTHORITY SECTION:
> . 86400 IN SOA A.ROOT-SERVERS.NET.
> NSTLD.VERISIGN-GRS.COM. 2003040501 1800 900 604800 86400
> ;; Query time: 103 msec
> ;; SERVER: 192.168.0.1#53(192.168.0.1)
> ;; WHEN: Sat Apr 5 19:42:08 2003
> ;; MSG SIZE rcvd: 102
> as for what all that means...
> > Ken
More information about the Snort-users