[Snort-users] ICMP PING NMAP to 149.1.1.1

Joe Hill joehill at ...3945...
Sun Apr 6 08:05:02 EDT 2003


Ok, I am just going to sit back and watch for awhile.

/joehill bookmarks neohapsis and giac

On Sun, 6 Apr 2003
03:25:35-0700"Jeff O'Neal" <jeff.oneal at ...8794...> wrote:

> From the links below it looks like the user probably has a program
> called"tsadbot.exe".  From looking around for a few minutes it looks
> like the program comes with some/one of the versions of pkZip.
> 
> http://archives.neohapsis.com/archives/sf/ms/2000-q3/0148.html
> 
> Link to a giac pratctical with a detect on this.
> 
> http://www.giac.org/practical/Robert_Hunt.doc
> 
> ~Jeff
> 
> ----- Original Message -----
> From: "Kenneth G. Arnold" <bkarnold at ...8060...>
> To: <snort-users at lists.sourceforge.net>
> Sent: Saturday, April 05, 2003 8:25 PM
> Subject: Re: [Snort-users] ICMP PING NMAP to 149.1.1.1
> 
> 
> > We don't have a timeout option that would log them out with no
> > activity for a certain period of time so there would be no reason to
> > have such an app for us.  It is possible that they may have it
> > installed for AOL and it is always running.  It seems excessive to
> > ping twice every 2-3 seconds for such an application, however. Every
> > modem connection generates a separate IP address but I have traced
> > this to at least three different users.
> >
> > arin.net shows
> > PSI PSINET-B-1 (NET-149-1-0-0-1)
> >                                   149.1.0.0 - 149.1.255.255
> > Schoffstall Associates SCHOFF-NB-149-001 (NET-149-1-0-0-2)
> >                                   149.1.0.0 - 149.1.255.255
> >
> >
> > I can't verify the dns name of 149.1.1.1 through nslookup but I
> > found a reference somewhere else that 149.1.1.1 belongs to
> > timesink.com which is supposedly a division of PSI.
> >
> > Ken
> >
> > On Sat, 5 Apr 2003, Joe Hill wrote:
> >
> > > On Sat, 5 Apr 2003 17:18:11 -0600 (CST)
> > > "Kenneth G. Arnold" <bkarnold at ...8060...> wrote:
> > >
> > > > Within the last week I have noticed very strange activity for
> > > > ICMP PING NMAP.  It started with one user and now it has spread
> > > > to several more. It has so far been restricted to users
> > > > connecting through dial-in access to a modem pool.  Shortly
> > > > after the user connects, the machine starts sending ICMP PING
> > > > NMAP to internet address 149.1.1.1 at the rate of 2 pings every
> > > > 2-3 seconds. That comes out to about 3000 per hour. I have seen
> > > > totals go as high as 17,000 per day from one source when it is
> > > > connected.  The only reason it stops is that the person finally
> > > > disconnects.
> > > >
> > > > I searched the internet for an explanation for this and the only
> > > > thing I could find was that some freeware/shareware has code
> > > > from timesink.com built into it that sends pings to this address
> > > > and tcp data to other locations within its domain.  Timesink.com
> > > > makes spyware that sends information about the user's activity
> > > > to the company through the tcp sessions.  I have set up a rule
> > > > to check for any activity from our domain to timesink.com and
> > > > all I see is the ICMP PING NMAP activity.  It seems unlikley
> > > > that a company would have a product send it information at the
> > > > rate that I am seeing.  I would expect to see tcp sessions also
> > > > and I don't see any.  I have searched Symantec's site looking
> > > > for a virus that would cause this but found nothing.  Could this
> > > > be a disgruntled person who is distributing a program that
> > > > performs a distributed denial of service attack against
> > > > timesink.com? I have tried pinging 149.1.1.1 myself and it
> > > > doesn't appear to be answering pings.
> > > >
> > > > Has anyone else encountered this situation in your logs? Does
> > > > anyone know what is going on?
> > > >
> > >
> > > could it be some form of "keepalive" app that the users are using,
> > > to keep their connection from timing out? One question, if more
> > > than one user is connected to the modem pool, are the probes *all*
> > > coming from the same IP?!
> > >
> > > Got this with dig:
> > >
> > > ; <<>> DiG 9.2.1 <<>> 149.1.1.1
> > > ;; global options:  printcmd
> > > ;; Got answer:
> > > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26439
> > > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1,
> > > ADDITIONAL: 0
> > >
> > > ;; QUESTION SECTION:
> > > ;149.1.1.1.                     IN      A
> > >
> > > ;; AUTHORITY SECTION:
> > > .                       86400   IN      SOA    
> > > A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2003040501 1800 900
> > > 604800 86400
> > >
> > > ;; Query time: 103 msec
> > > ;; SERVER: 192.168.0.1#53(192.168.0.1)
> > > ;; WHEN: Sat Apr  5 19:42:08 2003
> > > ;; MSG SIZE  rcvd: 102
> > >
> > > as for what all that means...
> > >
> > > > Ken
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: ValueWeb:
> > Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
> > No other company gives more support or power for your dedicated
> > server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: ValueWeb: 
> Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
> No other company gives more support or power for your dedicated server
> http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list