Re: Odd windows ICMP... any ideas what this is?
From: Ryan Yagatich (ryany_at_pantek.com)
Date: 06/09/03
- Previous message: Greg A. Woods: "RE: strange traffic on UDP port 53"
- In reply to: ted klugman: "Odd windows ICMP... any ideas what this is?"
- Next in thread: Raistlin: "Re: Odd windows ICMP... any ideas what this is?"
- Reply: Raistlin: "Re: Odd windows ICMP... any ideas what this is?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 9 Jun 2003 13:39:26 -0400 (EDT) To: ted klugman <tedklugman@yahoo.com>
Although it may not be directly related, wasn't there some chat
server written some time ago that distributed its text through icmp?
If so, Could this be a deviation of this maybe testing the
destination to see if it can accept such packets so that it could transmit
other data?
Thanks,
Ryan Yagatich
,_____________________________________________________,
\ Ryan Yagatich support@pantek.com \
/ Pantek Incorporated (877) LINUX-FIX /
\ http://www.pantek.com/security (440) 519-1802 \
/ Are your networks secure? Are you certain? /
\___E48BF0689E4F349D237D621CEAAD45E3C313A99DBB8BA16F___\
On Mon, 9 Jun 2003, ted klugman wrote:
>Our IDS has been reporting some large ICMP packets on
>our internal network. Our internal network is a
>Windows2000 domain -- servers and clients.
>
>- Packet size is always 2090 bytes
>- Almost always sent from a client or member server to
>one of the two boxes running Active Directory
>- The ping payload itself is actually a JPEG of the
>Microsoft logo. This JPEG can actually be found inside
>userenv.dll.
>
>I googled for any details, and I see that others have
>run into this before. However, there were no answers,
>just questions. See these two links for identical
>packets:
>
>http://archives.neohapsis.com/archives/linux/debian/2002-q4/0658.html
>
>http://cert.uni-stuttgart.de/archive/debian/security/2002/11/msg00222.html
>
>
>Anyone else seen these? Any idea what's causing them?
>Is this 'normal' behavior on a W2K network?
>
>Other than the fact that they are relatively large
>ICMP packets, they don't appear to be malicious in any
>way. There is no other malicious traffic seen on our
>network.
>
>TIA.
>
>-TedK
>
>__________________________________
>Do you Yahoo!?
>Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
>http://calendar.yahoo.com
>
>----------------------------------------------------------------------------
>----------------------------------------------------------------------------
>
----------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Greg A. Woods: "RE: strange traffic on UDP port 53"
- In reply to: ted klugman: "Odd windows ICMP... any ideas what this is?"
- Next in thread: Raistlin: "Re: Odd windows ICMP... any ideas what this is?"
- Reply: Raistlin: "Re: Odd windows ICMP... any ideas what this is?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
