Security Incidents mailing list archives
RE: ICMP Help
From: "W Shawn Falconbury" <shawn () wyetech net>
Date: Thu, 28 Jun 2001 15:15:54 -0500
We were hit with a ICMP flood attack earlier this week I was able to trace the attack back to a couple of bots programmed to exploit a known windows IIS hole and set up house-keeping on a zombie after which it starts generating ICMP foods to what seems like random IP address. 6/27/2001 9:16:42 PM.4157 0000: 21 45 00 00 38 00 00 00 00 FA 01 1C 9C 9D 82 44 !E..8....ú..D 0010: 09 D8 4C EA 50 03 01 B6 D1 00 00 00 00 45 00 00 .ØLêP..¶Ñ....E.. 0020: 30 18 53 40 00 7B 06 AE 1F D8 4C EA 50 D9 93 9D 0.S@.{.®.ØLêPÙ 0030: 24 08 BA 00 50 7B 36 C1 EC $.º.P{6Áì 6/27/2001 9:16:42 PM.4357 0000: 21 45 00 00 38 00 00 00 00 FA 01 D7 DF 3F 7A E6 !E..8....ú.×ß?zæ 0010: CD D8 4C EA 50 03 01 13 63 00 00 00 00 45 00 00 ÍØLêP...c....E.. 0020: 30 18 54 40 00 7B 06 86 EC D8 4C EA 50 6A 86 33 0.T@.{.ìØLêPj3 0030: 64 08 B7 00 50 7B 34 65 60 d.·.P{4e` 6/27/2001 9:16:42 PM.4858 0000: 21 45 00 00 38 00 00 00 00 FA 01 1C 9C 9D 82 44 !E..8....ú..D 0010: 09 D8 4C EA 50 03 01 79 CF 00 00 00 00 45 00 00 .ØLêP..yÏ....E.. 0020: 30 18 58 40 00 7B 06 3B 97 D8 4C EA 50 6E B1 7A 0.X@.{.;ØLêPn±z 0030: 8A 08 BE 00 50 7B 39 FE E7 .¾.P{9þç 6/27/2001 9:16:42 PM.5158 0000: 21 45 00 00 38 00 00 00 00 FA 01 1C 9C 9D 82 44 !E..8....ú..D 0010: 09 D8 4C EA 50 03 01 7F 39 00 00 00 00 45 00 00 .ØLêP..9....E.. 0020: 30 18 5B 40 00 7B 06 A5 85 D8 4C EA 50 36 DA 48 0.[@.{.¥ ØLêP6ÚH 0030: 70 08 EB 00 50 7B 5A F9 2F p.ë.P{Zù/ 6/27/2001 9:16:42 PM.5259 0000: 21 45 00 00 38 00 00 00 00 FA 01 1C 9C 9D 82 44 !E..8....ú..D 0010: 09 D8 4C EA 50 03 01 EF FD 00 00 00 00 45 00 00 .ØLêP..ïý....E.. 0020: 30 18 5A 40 00 7B 06 A3 4C D8 4C EA 50 DA 5A A7 0.Z@.{.£LØLêPÚZ§ 0030: 29 08 F4 00 50 7B 61 88 5B ).ô.P{a[ I do have the bots if anyone wants to check them out. W. Shawn Falconbury MIS Director Wyetech Inc. shwn () wyetech net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- ICMP Help Portnoy, Gary (Jun 29)
- RE: ICMP Help W Shawn Falconbury (Jun 29)
- Re: ICMP Help Johannes B. Ullrich (Jun 29)