Re: Strings of 'EEEE' in pings...

From: Chris Keladis (Chris.Keladis@cmc.cwo.net.au)
Date: 01/25/02 

Date: Sat, 26 Jan 2002 08:01:16 +1100
From: Chris Keladis <Chris.Keladis@cmc.cwo.net.au>
To: Peter Bates <Peter.Bates@lshtm.ac.uk>

Peter Bates wrote:

> Yes it's a ping echo/reply pair, but why the string of EE's?

Good question.

My guess would be some kind of automated scanning tool. I could have
sworn i've seen ICMP ping/pong packets with E's as the payload, but i
cant pinpoint where.

 
> I could recreate this slightly using 'ping -p 45 host' from another
> system,
> but it was still slightly different at the front...

It probably was the data for a timeval struct which ping uses to work
out the RTT times. Your packets are made from a dedicated tool of some
kind.
 

> Can anyone explain this, or what might be generating this traffic?
>
> The internal host in question appears to be a Windows machine, but
> we'll only be able to investigate properly after the weekend.

Just looking at my Snort rules, i found that WebTrends Scanner sends
packets filled with 0x45's (E's), the only difference being is they have
4 leading NULL bytes whereas yours dont.

WebTrends make a security scanning product, perhaps this it?

Unfortunately Google didn't yield much more information. :(

HIH,

Chris.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com