Re: ICMP Type:8 Code:137
From: Justin (justinvinn_at_gmail.com)
Date: 10/28/05
- Previous message: PatInTheHat: "RE: troj_cryt.u detected"
- In reply to: mutiger_jh_at_yahoo.com: "ICMP Type:8 Code:137"
- Next in thread: Allan Kjeldbjerg (Acom Internet ApS): "Re: ICMP Type:8 Code:137"
- Reply: Allan Kjeldbjerg (Acom Internet ApS): "Re: ICMP Type:8 Code:137"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 28 Oct 2005 14:11:04 -0400 To: "mutiger_jh@yahoo.com" <mutiger_jh@yahoo.com>
Mutiger_jh,
It could indeed be a recon technique (the traceroute makes me think
that even more). Custom ICMP programs are not that difficult to make,
so maybe somebody is using your system(s) as a testing ground?
This also reminds me of xprobe2. Doesn't that send ICMP like what you
described? Are these targetd in sweeps across your netrange, or is it
just against one specific host.
Hope some of that helped...
peace,
--Justin
On 28 Oct 2005 03:12:09 -0000, mutiger_jh@yahoo.com
<mutiger_jh@yahoo.com> wrote:
> We have been seeing a good number of ICMP - echo requests coming in bursts having a code of 137 in the last couple of days. The burst do not last long but are sometimes preceeded by a traceroute. No other traffice follows from the source hosts. There is no payload in the packets. My research into what or why this is happening has turned up nothing.
>
> Has any one heard of any attacks or recon using this code?
>
- Previous message: PatInTheHat: "RE: troj_cryt.u detected"
- In reply to: mutiger_jh_at_yahoo.com: "ICMP Type:8 Code:137"
- Next in thread: Allan Kjeldbjerg (Acom Internet ApS): "Re: ICMP Type:8 Code:137"
- Reply: Allan Kjeldbjerg (Acom Internet ApS): "Re: ICMP Type:8 Code:137"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
