Re: Strange pings from 127.0.0.1

[Tim Schwimer <tschwimer () hotmail com>]

In-Reply-To: <GAEPLEDFDDGJLBGAABCNKENBCMAA.gg () stober mailsnare net>

I started seeing the same thing on my DMZ segments this Friday afternoon at about 4:00pm (figures, huh??). Anyway, I 
was wondering what you found out about this. Any insight would be appreciated.
Thanks,
T
> Received: (qmail 20239 invoked from network); 14 May 2004 15:58:54 -0000
> Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 14 May 2004 15:58:54 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id 4018A1437B0; Fri, 14 May 2004 17:53:53 -0600 (MDT)
> Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <security-basics.list-id.securityfocus.com>
> List-Post: <mailto:security-basics () securityfocus com>
> List-Help: <mailto:security-basics-help () securityfocus com>
> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
> Delivered-To: mailing list security-basics () securityfocus com
> Delivered-To: moderator for security-basics () securityfocus com
> Received: (qmail 13781 invoked from network); 13 May 2004 21:45:06 -0000
> From: "Marc" <gg () stober mailsnare net>
> To: <security-basics () securityfocus com>
> Subject: Strange pings from 127.0.0.1
> Date: Thu, 13 May 2004 23:55:35 -0400
> Message-ID: <GAEPLEDFDDGJLBGAABCNKENBCMAA.gg () stober mailsnare net>
> MIME-Version: 1.0
> Content-Type: text/plain;
>       charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> Importance: Normal
>
>
> The networked applications I am responsbile for have been performing slowly.
> When I tried to run Ethereal on my computer, I found some odd ICMP echo
> request (ping) packets with a source IP of 127.0.01, to addresses both
> within our 192.168.1.* network as well as to random Internet addresses. The
> source and destination Mac addresses aren't anything I can associate with a
> computer on our network (and they're not the real Mac address of my
> computer), so I think maybe these packets are spoofed? Could this be some
> sort of virus or DOS attack somewhere within our network? I've haven't seen
> anything quite like this mentioned online anywhere.
>
> Thanks, Marc
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
> any course! All of our class sizes are guaranteed to be 10 students or less 
> to facilitate one-on-one interaction with one of our expert instructors. 
> Attend a course taught by an expert instructor with years of in-the-field 
> pen testing experience in our state of the art hacking lab. Master the skills 
> of an Ethical Hacker to better assess the security of your organization. 
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------