[Snort-users] Strange ICMP traffic. Perhaps a worm?

Harry M harrym at ...10739...
Mon Dec 15 07:44:20 EST 2003


I'm getting lots of ICMP traffic that looks pretty odd to me. They are all
ping packets with a fairly strange payload:

000 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
010 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
020 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
030 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................

What makes me think this is a worm is that all the traffic is coming from
other customers of my ISP (NTL), and the source ip addresses increment very
neatly - 80.4, 80.5, 80.6, 80.7 - which looks rather like it could be a set
of machines infected by a worm that increments the subnet (2nd octect) it
targets. Although this doesn't really tally with the apparent lack of any
bytecode in the payload, I figured it could be an exploratory probe or
somesuch. The rule it's triggering is ICMP PING CyberKit 2.2 Windows
(http://www.snort.org/snort-db/sid.html?sid=483) but I find it highly
unlikely that this is the actual cause, because of the number of different
source addresses (>100).

Does anyone have any other ideas? Whatever it is, it's very strange. The
thought does occur that my ISP could be doing something sneaky, to which I'd
almost certainly object :)

I started getting traffic at  2003-12-11 20:18:33 GMT and have been getting
it ever since.

Arta





More information about the Snort-users mailing list