Re: [Snort-users] 13 instances of ping bsd

[John Pettitt <jpp () CLOUDVIEW COM>]

I had the same thing yesterday:

Nov 27 18:36:48 gatekeeper snort[28923]: IDS152 - PING BSD: 208.185.109.130
-> 216.103.77.155
Nov 27 18:36:48 gatekeeper snort[28923]: IDS152 - PING BSD: 64.41.192.103
-> 216.103.77.155
Nov 27 18:36:48 gatekeeper snort[28923]: IDS152 - PING BSD: 207.235.98.194
-> 216.103.77.155
Nov 27 18:36:48 gatekeeper snort[28923]: IDS152 - PING BSD: 206.190.24.162
-> 216.103.77.155
Nov 27 18:36:48 gatekeeper snort[28923]: IDS152 - PING BSD: 63.140.72.3 ->
216.103.77.155
Nov 27 18:36:48 gatekeeper snort[28923]: IDS152 - PING BSD: 206.63.151.4 ->
216.103.77.155
Nov 27 18:36:49 gatekeeper snort[28923]: IDS152 - PING BSD: 64.67.26.194 ->
216.103.77.155
Nov 27 18:36:49 gatekeeper snort[28923]: IDS152 - PING BSD: 216.219.241.162
-> 216.103.77.155
Nov 27 18:36:49 gatekeeper snort[28923]: IDS152 - PING BSD: 208.185.54.14
-> 216.103.77.155
Nov 27 18:36:49 gatekeeper snort[28923]: IDS152 - PING BSD: 203.166.49.226
-> 216.103.77.155
Nov 27 18:36:50 gatekeeper snort[28923]: IDS152 - PING BSD: 200.194.68.4 ->
216.103.77.155
Nov 27 18:36:50 gatekeeper snort[28923]: IDS152 - PING BSD: 203.197.173.129
-> 216.103.77.155
Nov 27 18:36:50 gatekeeper snort[28923]: IDS152 - PING BSD: 202.54.111.72
-> 216.103.77.155

In fact yesterday was a busy day for this kind of stuff:

Nov 27 20:44:40 gatekeeper snort[28923]: MISC-WinGate-8080-Attempt:
24.162.235.165:3797 -> 216.103.77.155:8080
Nov 27 20:44:40 gatekeeper snort[28923]: MISC-WinGate-8080-Attempt:
24.162.235.165:3798 -> 216.103.77.156:8080
Nov 27 20:44:40 gatekeeper snort[28923]: MISC-WinGate-8080-Attempt:
24.162.235.165:3797 -> 216.103.77.155:8080
Nov 27 20:44:40 gatekeeper snort[28923]: MISC-WinGate-8080-Attempt:
24.162.235.165:3798 -> 216.103.77.156:8080
Nov 27 20:44:41 gatekeeper snort[28923]: MISC-WinGate-8080-Attempt:
24.162.235.165:3797 -> 216.103.77.155:8080
Nov 27 20:44:41 gatekeeper snort[28923]: MISC-WinGate-8080-Attempt:
24.162.235.165:3798 -> 216.103.77.156:8080
Nov 27 21:15:45 gatekeeper snort[28923]: IIS vti_inf access attempt:
63.74.117.66:11289 -> 216.103.77.155:80
Nov 27 21:15:47 gatekeeper snort[28923]: FrontPage-shtml.exe:
63.74.117.66:11290 -> 216.103.77.155:80
Nov 27 21:15:48 gatekeeper snort[28923]: IIS vti_inf access attempt:
63.74.117.66:11291 -> 216.103.77.155:80
Nov 27 21:15:49 gatekeeper snort[28923]: FrontPage-shtml.exe:
63.74.117.66:11292 -> 216.103.77.155:80
Nov 27 21:32:43 gatekeeper snort[28923]: IDS152 - PING BSD: 208.185.109.130
-> 216.103.77.155
Nov 27 21:32:43 gatekeeper snort[28923]: IDS152 - PING BSD: 63.251.235.226
-> 216.103.77.155
Nov 27 21:32:43 gatekeeper snort[28923]: IDS152 - PING BSD: 64.94.206.66 ->
216.103.77.155
Nov 27 21:32:43 gatekeeper snort[28923]: IDS152 - PING BSD: 216.52.110.66
-> 216.103.77.155
Nov 27 21:32:43 gatekeeper snort[28923]: IDS152 - PING BSD: 63.251.167.2 ->
216.103.77.155
Nov 27 21:32:43 gatekeeper snort[28923]: IDS152 - PING BSD: 63.251.120.2 ->
216.103.77.155
Nov 27 21:32:43 gatekeeper snort[28923]: IDS152 - PING BSD: 193.214.57.194
-> 216.103.77.155
Nov 27 21:32:44 gatekeeper snort[28923]: IDS152 - PING BSD: 212.73.220.2 ->
216.103.77.155
Nov 27 21:32:44 gatekeeper snort[28923]: IDS152 - PING BSD: 209.83.178.130
-> 216.103.77.155
Nov 27 21:32:44 gatekeeper snort[28923]: IDS152 - PING BSD: 63.209.37.11 ->
216.103.77.155
Nov 27 21:32:44 gatekeeper snort[28923]: IDS152 - PING BSD: 64.94.163.226
-> 216.103.77.155
Nov 27 21:32:45 gatekeeper snort[28923]: IDS152 - PING BSD: 63.251.159.2 ->
216.103.77.155
Nov 27 21:32:45 gatekeeper snort[28923]: IDS152 - PING BSD: 200.53.184.66
-> 216.103.77.155



At 06:51 AM 11/28/2000, Al Huger - Mail Account wrote:


> Alfred Huger
> VP Engineering
> SecurityFocus.com
>
> On Tue, 28 Nov 2000, Mark Rowlands wrote:
>
> > [**] IDS152 - PING BSD [**]
> > 11/27-22:49:21.777738 0:80:C8:56:FB:5 -> 0:10:4B:B6:F1:7B type:0x800
> len:0x62
> > 203.197.173.129 -> 62.5.7.17 ICMP TTL:56 TOS:0x0 ID:55074
> > ID:23472   Seq:51862  ECHO
> > 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17  ................
> > 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27  ........ !"#$%&'
> > 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37  ()*+,-./01234567
> > 38 39 3A 3B 3C 3D 3E 3F                          89:;<=>?
> >
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> >
> > hi folks, got 13 of these within millisecs of each other all different IPs
> > but apparently same mac address...... none of the addresses have shown up
> > before or since. any thoughts?
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
> >
>
>
> I am not sure if this matches but Andre Kajita the exact same thing (well,
> not exactly but *really* close) and reported it to the Incidents list:
>
> http://www.securityfocus.com/archive/75/147134
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> http://lists.sourceforge.net/mailman/listinfo/snort-users


John Pettitt                                     Email: jpp () cloudview com

The 3 stages of man:
He believes in Santa Claus.
He doesn't believe in Santa Claus.
He is Santa Claus.

PGP keys on MIT & pgp.com servers.
Fingerprint: 81B5 446D 3E0E 1CDE 5A45  644A A744 54C4 7886 3658