| Author | Message | Time |
|---|---|---|
| Arta | I'm getting lots of odd ICMP traffic that looks pretty odd to me. They are all ping packets with a fairly strange payload: [code] 000 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ 010 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ 020 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ 030 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ [/code] What makes me think this is a worm is that all the traffic is coming from other customers of my ISP, and the source ip addresses increment very neatly - 80.4, 80.5, 80.6, 80.7 - which looks rather like it could be a set of machines infected by a worm that increments the subnet (2nd octect) it targets. Although this doesn't really tally with the apparent lack of any bytecode in the payload, I figured it could be an exploratory probe or somesuch. Does anyone have any other ideas? Whatever it is, it's very strange. The thought does occur that my ISP could be doing something sneaky, to which I'd almost certainly object :) I started getting traffic at 2003-12-11 20:18:33 GMT and have been getting it ever since. | December 11, 2003, 10:26 PM |
| iago | If it's ICMP (that's UDP, right?) there's no guarentee those source addresses are real. What kind of volume is it coming in? | December 11, 2003, 10:54 PM |
| Arta | No, ICMP is it's own protocol. That's still no guarantee that the source addresses are real, but I find it pretty unlikely that they're all forged. They're too consistent. I've had ~170 packets in 3.5 hours, so not a huge amount, but enough for it to be interesting. | December 11, 2003, 11:04 PM |
| iago | I thought IMCP worked the same way as UDP? ohwell, I don't really know anything about ICMP :) But maybe somebody else could shed more light on this, I have no idea | December 11, 2003, 11:19 PM |
| St0rm.iD | I've heard rumours that ISP's will send strange pings/portscans to their customers to make sure they're using a real cable modem and not running a server. | December 11, 2003, 11:20 PM |
| Arta | Yes, me too, but this traffic doesn't look remotely like a portscan, and I don't see how a ping could be used for that purpose. | December 11, 2003, 11:22 PM |
| UserLoser. | Uh-oh, I run a Webserver on my computer & some other open ports :-\ | December 11, 2003, 11:45 PM |
| iago | Good ol' dsl, I can sit here with my 130up/30down going full 24/7 and they won't care | December 11, 2003, 11:55 PM |
| Newby | Heh, I've gotten lots of those forever. I think its just my ISP. But wtf do they want from me? :P | December 12, 2003, 12:07 AM |
| Grok | [quote author=St0rm.iD link=board=2;threadid=4181;start=0#msg34842 date=1071184853] I've heard rumours that ISP's will send strange pings/portscans to their customers to make sure they're using a real cable modem and not running a server. [/quote] I'd love to catch my ISP portscanning my computer so I could sue them for a few years of free service. | December 12, 2003, 1:21 AM |
| Eibro | My ISP does it to me frequently. | December 12, 2003, 1:24 AM |
| UserLoser. | How do you know if you're recieving things like that? | December 12, 2003, 1:24 AM |
| j0k3r | Get a firewall (software I guess) or packet logger. Maybe someone can elaborate on that... | December 12, 2003, 1:35 AM |
| j0k3r | I think he got down and up mixed up. | December 12, 2003, 2:38 AM |
| Yoni | Back on Arta's topic: I ran a packet logger a few weeks ago for completely different purposes and saw the same thing you did. ICMP pings from spoofed(?) IPs within my ISP's subnet, all bytes set to 0xAA, once every 30-60 seconds or so. I didn't pay too much attention to it... I will check again. | December 12, 2003, 11:03 AM |
| Arta | Snort is picking up these packets as traffic from some hacking tool called 'CyberKit'. | December 12, 2003, 3:16 PM |
| Arta | Just started getting traffic from hosts not on my ISP's subnet. | December 13, 2003, 4:03 PM |
| Arta | This is a (new?) worm: http://isc.sans.org/diary.html?date=2003-08-18 Edit: Better information here: http://vil.nai.com/vil/content/v_100559.htm Looks like I was right :) | December 13, 2003, 6:01 PM |
| Newby | Holy shit. Owned. [QUOTE]12/13/2003 09:17:57.864 ICMP packet dropped 68.107.168.85, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 09:16:41.848 ICMP packet dropped 68.105.109.113, 8, WAN MYIP, 8, LAN 'Ping' 0 12/13/2003 09:13:03.928 ICMP packet dropped 68.104.16.103, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 09:11:55.784 ICMP packet dropped 68.105.158.169, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 09:09:47.672 ICMP packet dropped 68.104.246.20, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 09:07:16.000 ICMP packet dropped 68.109.156.174, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 09:04:55.912 ICMP packet dropped 68.107.164.29, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 09:02:46.256 ICMP packet dropped 68.110.183.111, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:58:07.624 ICMP packet dropped 68.110.213.190, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:56:18.400 ICMP packet dropped 68.104.118.29, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:54:54.128 ICMP packet dropped 68.109.210.127, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:53:01.592 ICMP packet dropped 68.105.199.189, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:51:30.848 ICMP packet dropped 68.108.224.238, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:49:47.304 ICMP packet dropped 68.105.236.140, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:47:52.512 ICMP packet dropped 68.107.133.66, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:45:49.624 ICMP packet dropped 68.109.221.210, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:42:49.512 ICMP packet dropped 68.107.182.27, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:39:58.816 ICMP packet dropped 68.109.51.149, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:35:33.544 ICMP packet dropped 68.107.248.14, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:32:16.256 ICMP packet dropped 68.110.146.245, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:30:48.864 ICMP packet dropped 68.104.223.192, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:27:51.928 ICMP packet dropped 68.110.140.26, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:26:12.592 ICMP packet dropped 68.104.212.181, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:24:01.064 ICMP packet dropped 68.107.156.238, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:21:58.032 ICMP packet dropped 68.110.122.140, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:20:38.528 ICMP packet dropped 68.106.195.244, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:19:00.336 ICMP packet dropped 68.108.74.222, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:16:44.528 ICMP packet dropped 68.110.244.9, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:14:36.272 ICMP packet dropped 68.107.182.27, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:12:21.304 ICMP packet dropped 68.110.127.173, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:09:36.032 ICMP packet dropped 68.104.171.104, 8, WAN MY IP, 8, LAN 'Ping' 0 12/13/2003 08:08:19.912 ICMP packet dropped 68.105.65.89, 8, WAN MY IP, 8, LAN 'Ping' [/QUOTE] | December 13, 2003, 6:31 PM |
| j0k3r | [quote]Self removal When the system clock reaches Jan 1, 2004, the worm will delete itself upon execution.[/quote] Hmm, where have we seen that before? | December 13, 2003, 6:31 PM |
| Yoni | [quote author=j0k3r link=board=2;threadid=4181;start=15#msg35147 date=1071340292] [quote]Self removal When the system clock reaches Jan 1, 2004, the worm will delete itself upon execution.[/quote] Hmm, where have we seen that before? [/quote] Ah, whew. It's just Welchia. It'll be dead in 2.5 weeks. :) | December 13, 2003, 11:53 PM |
| iago | This worm looked pretty thoughtful, since it deletes itself and installs patches and stuff, then it installed tftpd :( | December 14, 2003, 1:11 AM |