[Snort-users] ICMP PING NMAP to 149.1.1.1

Kenneth G. Arnold bkarnold at ...8060...
Sat Apr 5 19:26:04 EST 2003


We don't have a timeout option that would log them out with no activity
for a certain period of time so there would be no reason to have such an
app for us.  It is possible that they may have it installed for AOL and it
is always running.  It seems excessive to ping twice every 2-3 seconds for
such an application, however. Every modem connection generates a separate
IP address but I have traced this to at least three different users.

arin.net shows
PSI PSINET-B-1 (NET-149-1-0-0-1)
                                  149.1.0.0 - 149.1.255.255
Schoffstall Associates SCHOFF-NB-149-001 (NET-149-1-0-0-2)
                                  149.1.0.0 - 149.1.255.255


I can't verify the dns name of 149.1.1.1 through nslookup but I found a
reference somewhere else that 149.1.1.1 belongs to timesink.com which is
supposedly a division of PSI.

Ken

On Sat, 5 Apr 2003, Joe Hill wrote:

> On Sat, 5 Apr 2003 17:18:11 -0600 (CST)
> "Kenneth G. Arnold" <bkarnold at ...8060...> wrote:
>
> > Within the last week I have noticed very strange activity for ICMP
> > PING NMAP.  It started with one user and now it has spread to several
> > more. It has so far been restricted to users connecting through
> > dial-in access to a modem pool.  Shortly after the user connects, the
> > machine starts sending ICMP PING NMAP to internet address 149.1.1.1 at
> > the rate of 2 pings every 2-3 seconds. That comes out to about 3000
> > per hour. I have seen totals go as high as 17,000 per day from one
> > source when it is connected.  The only reason it stops is that the
> > person finally disconnects.
> >
> > I searched the internet for an explanation for this and the only thing
> > I could find was that some freeware/shareware has code from
> > timesink.com built into it that sends pings to this address and tcp
> > data to other locations within its domain.  Timesink.com makes spyware
> > that sends information about the user's activity to the company
> > through the tcp sessions.  I have set up a rule to check for any
> > activity from our domain to timesink.com and all I see is the ICMP
> > PING NMAP activity.  It seems unlikley that a company would have a
> > product send it information at the rate that I am seeing.  I would
> > expect to see tcp sessions also and I don't see any.  I have searched
> > Symantec's site looking for a virus that would cause this but found
> > nothing.  Could this be a disgruntled person who is distributing a
> > program that performs a distributed denial of service attack against
> > timesink.com? I have tried pinging 149.1.1.1 myself and it doesn't
> > appear to be answering pings.
> >
> > Has anyone else encountered this situation in your logs? Does anyone
> > know what is going on?
> >
>
> could it be some form of "keepalive" app that the users are using, to
> keep their connection from timing out? One question, if more than one
> user is connected to the modem pool, are the probes *all* coming from
> the same IP?!
>
> Got this with dig:
>
> ; <<>> DiG 9.2.1 <<>> 149.1.1.1
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26439
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;149.1.1.1.                     IN      A
>
> ;; AUTHORITY SECTION:
> .                       86400   IN      SOA     A.ROOT-SERVERS.NET.
> NSTLD.VERISIGN-GRS.COM. 2003040501 1800 900 604800 86400
>
> ;; Query time: 103 msec
> ;; SERVER: 192.168.0.1#53(192.168.0.1)
> ;; WHEN: Sat Apr  5 19:42:08 2003
> ;; MSG SIZE  rcvd: 102
>
> as for what all that means...
>
> > Ken




More information about the Snort-users mailing list