Security Incidents mailing list archives
RE: Ping Scan
From: "Fernando Cardoso" <fernando.cardoso () whatevernet com>
Date: Mon, 17 Sep 2001 09:32:11 +0100
I don't think you should be looking for a ping scan tool. From the data you sent, it seems that the box x.x.x.x tried to connect to 202.46.194.5 on port TCP 32165 and, since that host doesn't exist/is not alive, you get the ICMP Unreachable issued from 204.255.169.37 (some router in the way). The question is, the first packet x.x.x.x:23547 -> 202.46.194.5:32165 was really originated from your network? If not, maybe someone is using x.x.x.x as a zombie host for doing idlescans for 202.46.194.5. Just my .02 Euros Fernando -- Fernando Cardoso - Security Consultant WhatEverNet Computing, S.A. Phone : +351 21 7994200 Praca de Alvalade, 6 - Piso 6 Fax : +351 21 7994242 1700-036 Lisboa - Portugal email : fernando.cardoso () whatevernet com http://www.whatevernet.com/
Greetings, can anyone identify following Ping Scan tool? I usually get a few of those 'ICMP unreachables' (supposedly coming some IP's that don't exist/don't have servers). However, over the last few days I've seen a drastic increase. Anyone seeing the same? Regards, Frank [**] Ping Scan [**] 09/14-21:42:32.798231 204.255.169.37 -> x.x.x.x ICMP TTL:247 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:1 DESTINATION UNREACHABLE: HOST UNREACHABLE ** ORIGINAL DATAGRAM DUMP: x.x.x.x:23547 -> 202.46.194.5:32165 TCP TTL:188 TOS:0x8 ID:30922 IpLen:20 DgmLen:40 Seq: 0x74832EB6 Ack: 0x10BDC00C ** END OF DUMP 00 00 00 00 45 08 00 28 78 CA 40 00 BC 06 78 CA ....E..(x.@...x. xx xx xx xx CA 2E C2 05 5B FB 7D A5 74 83 2E B6 Aj......[.}.t... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+ -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: PGP or S/MIME (X.509) encrypted email preferred. iQA/AwUBO6WBaZytSsEygtEFEQL+4ACgy9+gy/XCiCGNj9+uffQOuiwsKusAn3bF Fwl8Lkco5Mwsh9UJWA5UXjCY =FT0J -----END PGP SIGNATURE----- ------------------------------------------------------------------ ---------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
_____________________________________________________________________ INTERNET MAIL FOOTER A presente mensagem pode conter informação considerada confidencial. Se o receptor desta mensagem não for o destinatário indicado, fica expressamente proibido de copiar ou endereçar a mensagem a terceiros. Em tal situação, o receptor deverá destruir a presente mensagem e por gentileza informar o emissor de tal facto. --------------------------------------------------------------------- Privileged or confidential information may be contained in this message. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. --------------------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Ping Scan Frank Knobbe (Sep 16)
- RE: Ping Scan Fernando Cardoso (Sep 17)
- RE: Ping Scan Ofir Arkin (Sep 17)
- <Possible follow-ups>
- RE: Ping Scan Tulchinskiy, Sasha (Sep 17)
- RE: Ping Scan Frank Knobbe (Sep 17)
- RE: Ping Scan Fernando Cardoso (Sep 17)