Re: Odd windows ICMP... any ideas what this is?

From: Raistlin (raistlin_at_s0ftpj.org)
Date: 06/13/03

Next message: http-equiv_at_excite.com: "Re: File on desktop called "~""

Previous message: Mike: "Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...)"
In reply to: Ryan Yagatich: "Re: Odd windows ICMP... any ideas what this is?"
Next in thread: Mika Boström: "Re: Odd windows ICMP... any ideas what this is?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Ryan Yagatich" <ryany@pantek.com>, "ted klugman" <tedklugman@yahoo.com>
Date: Fri, 13 Jun 2003 23:28:14 +0200

> Although it may not be directly related, wasn't there some chat
> server written some time ago that distributed its text through icmp?

It seems unrelated, but there's plenty of tools using ICMP to carry data out
there. An example is
our own ICMP tunnelling library and covert shell
(http://www.s0ftpj.org/tools/007shell.tgz), also ported to windows
(http://www.s0ftpj.org/tools/icmp_tunnel.h)

Raistlin

S0ftPj - Digital Security for Y2K

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/E/IT/TW d++(-) s++:-- a-- C++++ U++++ P(---) L+++ E----
W+++ N++ o K+ w--- O- M-- V-- PS++ PE- Y++ PGP++ t+++ 5+
X+@ R+++ tv-- b+++ DI++++ D++ G+ e+++>++++(*) h! r% y+
------END GEEK CODE BLOCK------

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: http-equiv_at_excite.com: "Re: File on desktop called "~""

Previous message: Mike: "Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...)"
In reply to: Ryan Yagatich: "Re: Odd windows ICMP... any ideas what this is?"
Next in thread: Mika Boström: "Re: Odd windows ICMP... any ideas what this is?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Removing ping/icmp from a network
... ICMP is part of the code base of the OS IP stack FYI. ... exploitable vulnerability does not count as such. ... whether your systems do or don't respond to ping DOES NOT CHANGE ... So basically you're justifying obscurity instead of security, ...
(Security-Basics)
[security bulletin] SSRT4743, SSRT4884 rev.1 - HP Tru64 UNIX TCP/IP remote Denial of Service (DoS)
... The information in this Security Bulletin should be acted upon ... in the HP Tru64 UNIX TCP/IP including ICMP, ... # sysconfig -q inet icmp_tcpseqcheck ...
(Bugtraq)
HPSBTU01210 SSRT4743, SSRT4884 rev.0 - HP Tru64 UNIX TCP/IP remote Denial of Service (DoS)
... There are no restrictions for distribution of this Security ... The information in this Security Bulletin should be acted upon ... in the HP Tru64 UNIX TCP/IP including ICMP, ... # sysconfig -q inet icmp_tcpseqcheck ...
(Bugtraq)
Re: Port 113?
... specific rules have been added to specifically allow packets ... a firewall that is allowing packets to move in and out in ... some compelling reasons to use TCP RST and ICMP, ... my level of security. ...
(comp.security.firewalls)
[NT] Remote Denial of Service Vulnerability in BlackICE Products
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... remote attackers to crash or disrupt affected versions of BlackICE ... Server Sensor running on Windows 2000 or Windows XP can be remotely ... Apply the following rule within the ICEcap Manager to block ICMP Echo ...
(Securiteam)