RE: Increasing ICMP Echo Requests
From: David Burt (uncue75_at_yahoo.com)
Date: 08/20/03
- Previous message: Juri Haberland: "Re: possible 0-day exploit for latest Real-/Helixserver 9.0.2.794"
- Maybe in reply to: Ken Eichman: "Increasing ICMP Echo Requests"
- Next in thread: Bruce Martins: "RE: Increasing ICMP Echo Requests"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 20 Aug 2003 06:02:07 -0700 (PDT) To: incidents@securityfocus.com
This is how it happened to us. A user took their
laptop home and either dialed up to an ISP or plugged
their laptop into their cable modem. We have
ZoneAlarm on all of our laptops. The user either
closed it or answered yes to the question regarding
connecting to port 135. Once infected, the user came
in the next day and turned the worm loose on our
internal network.
It sucks, but what can you do?
-----Original Message-----
From: Logan Rogers-Follis - TNTNetworx.net
[mailto:logan@tntnetworx.net]
Sent: Tuesday, August 19, 2003 4:24 PM
To: Bruce Martins
Cc: Kevin Patz; incidents@securityfocus.com
Subject: Re: Increasing ICMP Echo Requests
My questions is then. How does it get into a secure
network other than
e-mail, when nop machines are taken in and out fo the
network? It has
to spread orignally through something other than
TFTP...?
Bruce Martins wrote:
>Well this virus doesn't spread through e-mail so
whether or not having
>AV software on a mail server would not really matter
in this case as it
>exploits the same vulnerability that the original
MSBLAST worm did, then
>patches it, the real problem is that some people
aren't heading the
>warnings and patching their machines when a patch is
released for a very
>serious vulnerability like this one, same thing
happened with the SQL
>slammer worm, people had more then enough time to
test and apply this
>patch but didn't but hey just my 2 cents
>
>
>Bruce Martins
>Systems Administrator
>EXTEND>>MEDIA
>190 Liberty Street
>Toronto, Ontario
>Canada
>M6K 3L5
>_______________________
>e:bmartins@extend.com
>t: (416) 535-4222 ext. 2307
>f: (416) 535-1201
>http://www.extend.com
>
>
>-----Original Message-----
>From: Logan Rogers-Follis - TNTNetworx.net
[mailto:logan@tntnetworx.net]
>
>Sent: Tuesday, August 19, 2003 3:34 PM
>To: Bruce Martins
>Cc: Kevin Patz; incidents@securityfocus.com
>
>My company had this virus (an unprotected computer -
now secured - let
>it in), and within 10 min. it had sent 6MB worth of
ICMP out of our
>network and it was totally messing up our 1.5MB SDSL
line and ruining
>our VPN. I used the Norton tool and fix them all,
but I do know this
>thing is horrible (I just iwsh every company had a AV
on there mail
>server - that would help stop some of this).
>
>Logan
>
>Bruce Martins wrote:
>
>
>
>>As I think this has already been posted here that it
would seem that
>>this may be part of the new so called "good" worm if
that in fact
>>really is one, which seems to patch the machine once
infected and
>>removes any traces of the previous worm as well as
itself on January 1,
>>
>>
>
>
>
>>2004, this does create a lot of traffic as it does
search for other
>>vulnerable machines, is this a good or bad thing ?
Did the writer of
>>this do it to help remove the infection and spread
of the previous worm
>>
>>
>
>
>
>>or some other hidden agenda ?
>>
>>Mcafee link
>>http://us.mcafee.com/virusInfo/default.asp?id=nachi
>>
>>Symantec Link
>>http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.wor
>>m
>>.html
>>
>>
>>
>>Bruce Martins
>>Systems Administrator
>>EXTEND>>MEDIA
>>190 Liberty Street
>>Toronto, Ontario
>>Canada
>>M6K 3L5
>>_______________________
>>e:bmartins@extend.com
>>t: (416) 535-4222 ext. 2307
>>f: (416) 535-1201
>>http://www.extend.com
>>
>>
>>-----Original Message-----
>>From: Kevin Patz [mailto:jambo_cat@yahoo.com]
>>Sent: Monday, August 18, 2003 4:46 PM
>>To: incidents@securityfocus.com
>>
>>In-Reply-To: <3F411CBC.2020203@cedardoc.com>
>>
>>Upon reading of this, I enabled logging of ping
>>
>>requests on my firewall. So far I've only seen
three
>>
>>with len=92:
>>
>>
>>
>>24.64.90.16 (Shaw Communcations)
>>
>>24.60.234.130 (Comcast, formerly attbi)
>>
>>24.61.246.103 (Comcast, formerly attbi)
>>
>>
>>
>>My IP is on Comcast, formerly attbi, on a 24.62 IP
>>
>>range. I also have some pings with len=60 but they
>>
>>look more like "normal" ICMP echo requests.
>>
>>
>>
>>
>>
>>
>>
>>>Ken,
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>We're seeing the same ICMP pattern.
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>Is this from the blaster? We are looking into
>>>
>>>
>>>
>>>
>>filtering ICMP echo
>>
>>
>>
>>
>>
>>>request on our external routers.
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>>
>>
>>>Here is a snip from our IDS,
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>[Classification: Misc activity] [Priority: 3]
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>[Xref => http://www.whitehats.com/info/IDS154]
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>Event ID: 179333 Event Reference: 0
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>08/18/03-18:27:28.386411 65.83.120.72 ->
xx.xx.xx.xx
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>ICMP TTL:118 TOS:0x0 ID:21399 IpLen:20 DgmLen:92
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>Type:8 Code:0 ID:2 Seq:61261 ECHO
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
>>>
>>>
>>>
>>>
>>AA ................
>>
>>
>>
>>
>>
>>>AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
>>>
>>>
>>>
>>>
>>AA ................
>>
>>
>>
>>
>>
>>>AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
>>>
>>>
>>>
>>>
>>AA ................
>>
>>
>>
>>
>>
>>>AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
>>>
>>>
>>>
>>>
>>AA ................
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>>Thanks
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>Daniel Williams
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>Cedar Document Technologies
>>>
>>>
>>>
>>>
>>-----------------------------------------------------------------------
>>-
>>---
>>Captus Networks - Integrated Intrusion Prevention
and Traffic Shaping
>>- Instantly Stop DoS/DDoS Attacks, Worms & Port
Scans
>>- Automatically Control P2P, IM and Spam Traffic
>>- Ensure Reliable Performance of Mission Critical
Applications
>>- Precisely Define and Implement Network Security
and Performance
>>Policies **FREE Vulnerability Assessment Toolkit -
WhitePapers - Live
>>Demo Visit us at:
>>http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
>>-----------------------------------------------------------------------
>>-
>>----
>>
>>
>>-----------------------------------------------------------------------
>>---- Captus Networks - Integrated Intrusion
Prevention and Traffic
>>Shaping
>>- Instantly Stop DoS/DDoS Attacks, Worms & Port
Scans
>>- Automatically Control P2P, IM and Spam Traffic
>>- Ensure Reliable Performance of Mission Critical
Applications
>>- Precisely Define and Implement Network Security
and Performance
>>Policies **FREE Vulnerability Assessment Toolkit -
WhitePapers - Live
>>Demo Visit us at:
>>http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
>>-----------------------------------------------------------------------
>>-----
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
>
>
>
---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and
Traffic Shaping
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical
Applications
- Precisely Define and Implement Network Security and
Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers
- Live Demo
Visit us at:
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
- Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at:
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------
- Previous message: Juri Haberland: "Re: possible 0-day exploit for latest Real-/Helixserver 9.0.2.794"
- Maybe in reply to: Ken Eichman: "Increasing ICMP Echo Requests"
- Next in thread: Bruce Martins: "RE: Increasing ICMP Echo Requests"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
