Incidents
Tracking down random ICMP Jan 22 2007 01:19PM
Craig Chamberlain (craig chamberlain Q1Labs com) (3 replies)
Re: Tracking down random ICMP Feb 02 2007 11:25PM
Frank Knobbe (frank knobbe us)
On Mon, 2007-01-22 at 09:19 -0400, Craig Chamberlain wrote:
> Seem to be seeing more random bursts of ICMP traffic - sometimes
> unidirectional - with remote destinations that are mostly inexplicable.
> Wondering if it's a covert control channel of some sort - if so I can
> see why they chose ICMP - often allowed through firewalls and it is
> seems to be hard to determine the originating process in Windows.

The Allaple worm has been making its rounds on the Internet as of late.
It scans seemingly random IP addresses first with a customized ICMP Echo
in order to find targets that it could spread to. The payload of the
customized ping looks almost normal, except for the leading capital B
before the "abcdef..." payload.

We got Snort sigs for that at www.bleedingthreads.net

Those Allaple Pings are currently on the top of the list of scan packets
on our radar, followed by VNC scans.

Also of notice is the recent uptick in POP3/FTP/IMAP brute force
attempts. Looks like some botnet got fat enough for the herder to switch
to engage the brute-o-matic.

Cheers,
Frank

--
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)

iD8DBQBFw8hojt2fjCi9PsERAjVcAJ4v2oUVF5ajt6bshUW2lWqCEyM4hACfVV7z
H6/JAIediA9sXB/w8SCCt5I=
=VlDd
-----END PGP SIGNATURE-----

[ reply ]
Re: Tracking down random ICMP Jan 23 2007 03:32PM
Valdis Kletnieks vt edu (2 replies)
Re: Tracking down random ICMP Jan 25 2007 12:13PM
Javier Fernández-Sanguino (jfernandez germinus com) (1 replies)
Re: Tracking down random ICMP Jan 25 2007 05:20PM
Valdis Kletnieks vt edu (2 replies)
DoS attacks using ports 31800, 31900 ? Feb 02 2007 06:27PM
David Gillett (gillettdavid fhda edu) (1 replies)
Re: DoS attacks using ports 31800, 31900 ? Feb 06 2007 03:36PM
Deapesh Misra (deapesh gmail com)
Attempted FTP intrusion Jan 31 2007 05:43PM
David Gillett (gillettdavid fhda edu) (1 replies)
Re: Attempted FTP intrusion Jan 31 2007 10:09PM
Tillmann Werner (tillmann werner gmx de)
Re: Tracking down random ICMP Jan 23 2007 09:37PM
Jose Nazario (jose monkey org) (1 replies)
Re: Tracking down random ICMP Jan 24 2007 01:05AM
Bojan Zdrnja (bojan zdrnja gmail com) (1 replies)
Re: Tracking down random ICMP Feb 09 2007 12:17AM
Jean-Baptiste Marchand (jbm lists gmail com)
Re: Tracking down random ICMP Jan 23 2007 03:50AM
Kyle Maxwell (krmaxwell gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus