RE: Ping Cyberkit 2.2

["Ian Kennedy" <ian.kennedy () systemc com>]

I too had the same problem and found my hard disc space shrinking and
queries to the logs sluggish.

This link to the Smoothwall forums explains how to remove the log entries
and ignore any future hits:
http://community.smoothwall.org/forum/viewtopic.php?t=1003&highlight=icmp

Ian


-----Original Message-----
From: Karma [mailto:steve () frij com]
Sent: 12 September 2003 23:59
To: Dr Aldo Medina; security-basics () securityfocus com
Subject: Re: Ping Cyberkit 2.2


The ICMP packets from Nachi/Welchia resembles the Cyberkit packets with 64
(?) hexadecimal 'aa' as the content.

If that is the case, I wouldnt be worried. The sources are mostly spoofed,
but mostly class B

regards

Steve


----- Original Message -----
From: "Dr Aldo Medina" <aldomedina () hotpop com>
To: <security-basics () securityfocus com>
Sent: Friday, September 12, 2003 12:12 PM
Subject: Ping Cyberkit 2.2


> Since about a week, my snort logs are full of messages like this:
>
> Sep  6 12:27:56 linuxserver snort: [1:483:2] ICMP PING CyberKit 2.2
> Windows [Classification: Misc activity] [Priority: 3]: {ICMP}
> 200.95.132.194 -> 200.95.123.16
> Sep  6 12:29:23 linuxserver snort: [1:483:2] ICMP PING CyberKit 2.2
> Windows [Classification: Misc activity] [Priority: 3]: {ICMP}
> 200.95.66.113 -> 200.95.123.16Sep  6 12:31:24 linuxserver snort:
> [1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity]
> [Priority: 3]: {ICMP} 200.95.132.65 -> 200.95.123.16Sep  6 12:39:01
> linuxserver snort: [1:483:2] ICMP PING CyberKit 2.2 Windows
> [Classification: Misc activity] [Priority: 3]: {ICMP} 200.95.21.229 ->
> 200.95.123.16Sep  6 12:41:52 linuxserver snort: [1:483:2] ICMP PING
> CyberKit 2.2 Windows [Classification: Misc activity] [Priority: 3]:
> {ICMP} 200.95.132.88 -> 200.95.123.16Sep  6 12:45:33 linuxserver snort:
> [1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity]
> [Priority: 3]: {ICMP} 200.95.132.131 -> 200.95.123.16
> Sep  6 12:48:14 linuxserver snort: [1:483:2] ICMP PING CyberKit 2.2
> Windows [Classification: Misc activity] [Priority: 3]: {ICMP}
> 200.95.129.36 -> 200.95.123.16Sep  6 12:51:10 linuxserver snort:
> [1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity]
> [Priority: 3]: {ICMP} 200.95.33.116 -> 200.95.123.16
>
> Running Linux Debian Woody. Should I be worried?
>
> TIA.
>
>
>
> --------------------------------------------------------------------------
-
> Captus Networks
> Are you prepared for the next Sobig & Blaster?
>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>  - Precisely Define and Implement Network Security
>  - Automatically Control P2P, IM and Spam Traffic
> FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
> http://www.captusnetworks.com/ads/42.htm
> --------------------------------------------------------------------------
--
>


---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------