Security Incidents mailing list archives

Re: Odd windows ICMP... any ideas what this is?

From: Ryan Yagatich <ryany () pantek com>
Date: Mon, 9 Jun 2003 13:39:26 -0400 (EDT)


        Although it may not be directly related, wasn't there some chat
server written some time ago that distributed its text through icmp?
        If so, Could this be a deviation of this maybe testing the
destination to see if it can accept such packets so that it could transmit
other data?


Thanks,
Ryan Yagatich

,_____________________________________________________,
\ Ryan Yagatich                     support () pantek com \
/ Pantek Incorporated                  (877) LINUX-FIX /
\ http://www.pantek.com/security        (440) 519-1802 \
/       Are your networks secure? Are you certain?     /
\___E48BF0689E4F349D237D621CEAAD45E3C313A99DBB8BA16F___\

On Mon, 9 Jun 2003, ted klugman wrote:

Our IDS has been reporting some large ICMP packets on
our internal network. Our internal network is a
Windows2000 domain -- servers and clients.

- Packet size is always 2090 bytes
- Almost always sent from a client or member server to
one of the two boxes running Active Directory
- The ping payload itself is actually a JPEG of the
Microsoft logo. This JPEG can actually be found inside
userenv.dll.

I googled for any details, and I see that others have
run into this before. However, there were no answers,
just questions. See these two links for identical
packets:

http://archives.neohapsis.com/archives/linux/debian/2002-q4/0658.html

http://cert.uni-stuttgart.de/archive/debian/security/2002/11/msg00222.html


Anyone else seen these? Any idea what's causing them?
Is this 'normal' behavior on a W2K network?

Other than the fact that they are relatively large
ICMP packets, they don't appear to be malicious in any
way. There is no other malicious traffic seen on our
network.

TIA.

-TedK

__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com

----------------------------------------------------------------------------
----------------------------------------------------------------------------



----------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Odd windows ICMP... any ideas what this is? ted klugman (Jun 09)
- Re: Odd windows ICMP... any ideas what this is? Ryan Yagatich (Jun 10)
  - Re: Odd windows ICMP... any ideas what this is? Raistlin (Jun 16)
- Re: Odd windows ICMP... any ideas what this is? Mika Boström (Jun 10)
- RE: Odd windows ICMP... any ideas what this is? Eugene Borukhovich (Jun 10)
- <Possible follow-ups>
- Re: Odd windows ICMP... any ideas what this is? Jonathan Clark (Jun 10)