Re: Odd windows ICMP... any ideas what this is?

From: Ryan Yagatich (ryany_at_pantek.com)
Date: 06/09/03

  • Next message: Jason Falciola: "Re: Hmm....901"
    Date: Mon, 9 Jun 2003 13:39:26 -0400 (EDT)
    To: ted klugman <tedklugman@yahoo.com>
    
    

            Although it may not be directly related, wasn't there some chat
    server written some time ago that distributed its text through icmp?
            If so, Could this be a deviation of this maybe testing the
    destination to see if it can accept such packets so that it could transmit
    other data?

    Thanks,
    Ryan Yagatich

    ,_____________________________________________________,
    \ Ryan Yagatich support@pantek.com \
    / Pantek Incorporated (877) LINUX-FIX /
    \ http://www.pantek.com/security (440) 519-1802 \
    / Are your networks secure? Are you certain? /
    \___E48BF0689E4F349D237D621CEAAD45E3C313A99DBB8BA16F___\

    On Mon, 9 Jun 2003, ted klugman wrote:

    >Our IDS has been reporting some large ICMP packets on
    >our internal network. Our internal network is a
    >Windows2000 domain -- servers and clients.
    >
    >- Packet size is always 2090 bytes
    >- Almost always sent from a client or member server to
    >one of the two boxes running Active Directory
    >- The ping payload itself is actually a JPEG of the
    >Microsoft logo. This JPEG can actually be found inside
    >userenv.dll.
    >
    >I googled for any details, and I see that others have
    >run into this before. However, there were no answers,
    >just questions. See these two links for identical
    >packets:
    >
    >http://archives.neohapsis.com/archives/linux/debian/2002-q4/0658.html
    >
    >http://cert.uni-stuttgart.de/archive/debian/security/2002/11/msg00222.html
    >
    >
    >Anyone else seen these? Any idea what's causing them?
    >Is this 'normal' behavior on a W2K network?
    >
    >Other than the fact that they are relatively large
    >ICMP packets, they don't appear to be malicious in any
    >way. There is no other malicious traffic seen on our
    >network.
    >
    >TIA.
    >
    >-TedK
    >
    >__________________________________
    >Do you Yahoo!?
    >Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
    >http://calendar.yahoo.com
    >
    >----------------------------------------------------------------------------
    >----------------------------------------------------------------------------
    >

    ----------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Jason Falciola: "Re: Hmm....901"

    Relevant Pages

    • Re: Odd windows ICMP... any ideas what this is?
      ... > Our IDS has been reporting some large ICMP packets on ... > our internal network. ... Apparently w32 boxes ping their domain controller regularly. ... profiling the ICMP traffic immediately afterwards would help to provide ...
      (Incidents)
    • RE: Odd windows ICMP... any ideas what this is?
      ... > Subject: Odd windows ICMP... ... > our internal network. ... > ICMP packets, they don't appear to be malicious in any ... Calendar - Free online calendar with sync to Outlook. ...
      (Incidents)
    • TCP/IP Applications FAQ
      ... waiting for an ICMP Echo Reply from the host. ... Each trio of packets 'expire' at a succeeding ... Of the rexec protocol. ...
      (comp.unix.questions)
    • TCP/IP Applications FAQ
      ... waiting for an ICMP Echo Reply from the host. ... Each trio of packets 'expire' at a succeeding ... Of the rexec protocol. ...
      (comp.unix.questions)
    • TCP/IP Applications FAQ
      ... waiting for an ICMP Echo Reply from the host. ... Each trio of packets 'expire' at a succeeding ... Of the rexec protocol. ...
      (comp.unix.questions)