Security Incidents mailing list archives
Re: Odd windows ICMP... any ideas what this is?
From: Ryan Yagatich <ryany () pantek com>
Date: Mon, 9 Jun 2003 13:39:26 -0400 (EDT)
Although it may not be directly related, wasn't there some chat server written some time ago that distributed its text through icmp? If so, Could this be a deviation of this maybe testing the destination to see if it can accept such packets so that it could transmit other data? Thanks, Ryan Yagatich ,_____________________________________________________, \ Ryan Yagatich support () pantek com \ / Pantek Incorporated (877) LINUX-FIX / \ http://www.pantek.com/security (440) 519-1802 \ / Are your networks secure? Are you certain? / \___E48BF0689E4F349D237D621CEAAD45E3C313A99DBB8BA16F___\ On Mon, 9 Jun 2003, ted klugman wrote:
Our IDS has been reporting some large ICMP packets on our internal network. Our internal network is a Windows2000 domain -- servers and clients. - Packet size is always 2090 bytes - Almost always sent from a client or member server to one of the two boxes running Active Directory - The ping payload itself is actually a JPEG of the Microsoft logo. This JPEG can actually be found inside userenv.dll. I googled for any details, and I see that others have run into this before. However, there were no answers, just questions. See these two links for identical packets: http://archives.neohapsis.com/archives/linux/debian/2002-q4/0658.html http://cert.uni-stuttgart.de/archive/debian/security/2002/11/msg00222.html Anyone else seen these? Any idea what's causing them? Is this 'normal' behavior on a W2K network? Other than the fact that they are relatively large ICMP packets, they don't appear to be malicious in any way. There is no other malicious traffic seen on our network. TIA. -TedK __________________________________ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Odd windows ICMP... any ideas what this is? ted klugman (Jun 09)
- Re: Odd windows ICMP... any ideas what this is? Ryan Yagatich (Jun 10)
- Re: Odd windows ICMP... any ideas what this is? Raistlin (Jun 16)
- Re: Odd windows ICMP... any ideas what this is? Mika Boström (Jun 10)
- RE: Odd windows ICMP... any ideas what this is? Eugene Borukhovich (Jun 10)
- <Possible follow-ups>
- Re: Odd windows ICMP... any ideas what this is? Jonathan Clark (Jun 10)
- Re: Odd windows ICMP... any ideas what this is? Ryan Yagatich (Jun 10)