is this the start of something naughty?

From: Charles Blackburn (charlesb_at_summerfield-technology.co.uk)
Date: 08/18/03

  • Next message: Rainer Duffner: "Re: Software vendor clueless"
    Date: Mon, 18 Aug 2003 11:24:45 +0100
    To: incidents@securityfocus.com
    
    

    Hi

    I received approximately 100 of these within the space of 30 minutes or so from numerous different IP addresses and on my /29 block (2/3 machines and also the broadcast/and network addresses). Now I've had a few shall we say erm, "funnies" going on on this one machine lately with problems when it's rebooted which seem to be fixed by a kernel rebuild, but that could be a hardware problem. however it could be more indicative of an attack maybe even a successful one.

    Aug 18 10:46:14 thunder snort: [1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity] [Priority: 3]: {ICMP} 80.253.133.136 -> xx.xx.xx.120/123/125/127

    120/127 are the end of my 8 IP block, 125 is the machine with the funnies, and 123 is a windows 98 vmware session that I've only just finished installing windows in.

    it's always those same IP's and never any of the others.

    my question is, what can i do to see whether my box has been compromised (a rebuild's not much a problem as i was going to do it anyway :P) and if could any of you "1337" (i use that term loosely) help me.

    regards
    charles

    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
     - Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at:
    http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    ----------------------------------------------------------------------------


  • Next message: Rainer Duffner: "Re: Software vendor clueless"

    Relevant Pages

    • Re: Increasing ICMP Echo Requests
      ... In the company I'm working for, we also have noticed a increasing number of ICPM request. ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • Re: Increasing ICMP Echo Requests
      ... We are looking into filtering ICMP echo ... >Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • RE: DCOM worm with get.bat bot.rar
      ... DCOM worm with get.bat bot.rar ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • RE: Microsoft extinguishes windowsupdate.com
      ... Subject: Microsoft 'extinguishes' windowsupdate.com ... Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • Re: lots of sobig virus emails.
      ... they shouldn't be sending mail to the ... Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)