[Snort-users] Strange ICMP traffic. Perhaps a worm?

Shane Smith shane at ...10031...
Mon Dec 15 08:05:01 EST 2003


I think that's w32.welchia...  bad news!

-Shane

----- Original Message ----- 
From: "Harry M" <harrym at ...10739...>
To: "snort-users" <snort-users at lists.sourceforge.net>
Sent: Thursday, December 11, 2003 6:00 PM
Subject: [Snort-users] Strange ICMP traffic. Perhaps a worm?


I'm getting lots of ICMP traffic that looks pretty odd to me. They are all
ping packets with a fairly strange payload:

000 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
010 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
020 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
030 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................

What makes me think this is a worm is that all the traffic is coming from
other customers of my ISP (NTL), and the source ip addresses increment very
neatly - 80.4, 80.5, 80.6, 80.7 - which looks rather like it could be a set
of machines infected by a worm that increments the subnet (2nd octect) it
targets. Although this doesn't really tally with the apparent lack of any
bytecode in the payload, I figured it could be an exploratory probe or
somesuch. The rule it's triggering is ICMP PING CyberKit 2.2 Windows
(http://www.snort.org/snort-db/sid.html?sid=483) but I find it highly
unlikely that this is the actual cause, because of the number of different
source addresses (>100).

Does anyone have any other ideas? Whatever it is, it's very strange. The
thought does occur that my ISP could be doing something sneaky, to which I'd
almost certainly object :)

I started getting traffic at  2003-12-11 20:18:33 GMT and have been getting
it ever since.

Arta



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







More information about the Snort-users mailing list