RE: Ping Scan

["Fernando Cardoso" <fernando.cardoso () whatevernet com>]

I don't think you should be looking for a ping scan tool. From the data you
sent, it seems that the box x.x.x.x tried to connect to 202.46.194.5 on port
TCP 32165 and, since that host doesn't exist/is not alive, you get the ICMP
Unreachable issued from 204.255.169.37 (some router in the way).

The question is, the first packet x.x.x.x:23547 -> 202.46.194.5:32165 was
really originated from your network? If not, maybe someone is using x.x.x.x
as a zombie host for doing idlescans for 202.46.194.5.

Just my .02 Euros

Fernando

--
Fernando Cardoso - Security Consultant       WhatEverNet Computing, S.A.
Phone : +351 21 7994200                      Praca de Alvalade, 6 - Piso 6
Fax   : +351 21 7994242                      1700-036 Lisboa - Portugal
email : fernando.cardoso () whatevernet com     http://www.whatevernet.com/


> Greetings,
>
> can anyone identify following Ping Scan tool?
>
> I usually get a few of those 'ICMP unreachables' (supposedly coming
> some IP's that don't exist/don't have servers). However, over the
> last few days I've seen a drastic increase. Anyone seeing the same?
>
> Regards,
> Frank
>
>
> [**] Ping Scan [**]
> 09/14-21:42:32.798231 204.255.169.37 -> x.x.x.x
> ICMP TTL:247 TOS:0x0 ID:0 IpLen:20 DgmLen:56
> Type:3  Code:1  DESTINATION UNREACHABLE: HOST UNREACHABLE
> ** ORIGINAL DATAGRAM DUMP:
> x.x.x.x:23547 -> 202.46.194.5:32165
> TCP TTL:188 TOS:0x8 ID:30922 IpLen:20 DgmLen:40
> Seq: 0x74832EB6  Ack: 0x10BDC00C
> ** END OF DUMP
> 00 00 00 00 45 08 00 28 78 CA 40 00 BC 06 78 CA  ....E..(x.@...x.
> xx xx xx xx CA 2E C2 05 5B FB 7D A5 74 83 2E B6  Aj......[.}.t...
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.8
> Comment: PGP or S/MIME (X.509) encrypted email preferred.
>
> iQA/AwUBO6WBaZytSsEygtEFEQL+4ACgy9+gy/XCiCGNj9+uffQOuiwsKusAn3bF
> Fwl8Lkco5Mwsh9UJWA5UXjCY
> =FT0J
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------------
> ----------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


_____________________________________________________________________
                      INTERNET MAIL FOOTER 
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com