Security Incidents mailing list archives

[no subject]

From: "Osvaldo J. Filho" <osvaldojaneri () UOL COM BR>
Date: Fri, 16 Feb 2001 16:44:21 -0200

        The Napster Linux Client (console tool, with closed source) send a
ICMP request on every user that matches a SEARCH query, and report the
less 'distant' users.. I don't have it here to check the kind of ICMP,
but it looks likes a simple ping.


Cheers,
Osvaldo

On Thu, 15 Feb 2001, Stephen P. Berry wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Rod Longanilla writes:

I'm still watching and recording the alerts until it can be absolutely
proven these particular alerts are just false positives.  So if anyone has
further information what can possibly be generating these, please
post/reply.


I've also seen lots of these in the past 200 Ksec or so, and all of
them appear to be Napster-related.  A couple of features:

      -Only one network that I'm currently watching has Napster
       lusers.  It is the only network seeing the ICMP traffic in
       question.

      -All of the ICMP traffic is directed at a single IP address:
       The address of the NAT device behind which all of the Napster
       lusers live.

              If this was some evildoer looking for compromised machines,
              I'd expect to see multiple IP addresses.
              Since none of the ICMP traffic is reaching any destop
              machines, it cannot be communication between an evildoer
              and a compromised box or boxen[0].

      -There appears to be a strong correlation between the ICMP
       traffic and Napster sessions

              I've spot checked maybe a dozen of the couple thousand
              `hits' I've gotten recently, and it appears that in
              all of them the offending ICMP packet is part of
              the normal Napster client session setup.


Interestingly, not all Napster clients appear to exhibit this behaviour
(for example, I've never seen any of the internal Napster clients sending
this sort of traffic).  Anyone know exactly which client sends these
distinctive ICMP packets?  My analyst spidey sense tingles whenever
I see something like this---namely distinctive behaviour in a client mirroring
conventions first seen in script kiddie tools.  And this is exacerbated
by the fact that I've seen a bunch of bogus traffic[1] inserted into the
middle of otherwise innocuous Napster sessions.

I haven't seen any overt nastiness directly correlated to any of this
ICMP traffic, but I'd still be quite interested to see some sort of
definitive[2] statement about what's causing it.






- -Steve

Current thread:

What is this? Simeon Johnston (Feb 14)
- Re: What is this? Max Gribov (Feb 14)
  - Re: What is this? Andreas Östling (Feb 14)
    - ddos-stacheldraht server-spoof alerts ( Was: What is this?) Rod Longanilla (Feb 14)
    - Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Jacek Lipkowski (Feb 15)
    - Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Stephen P. Berry (Feb 16)
    - [no subject] Osvaldo J. Filho (Feb 16)
    - Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Daniel Keisling (Feb 16)
- Re: What is this? Geoff the UNIX guy (Feb 14)
- Re: What is this? Jason Potopa (Feb 15)
  - Re: What is this? Simeon Johnston (Feb 15)