Re: Strange pings from 127.0.0.1
From: Timothy Schwimer (tschwimer_at_hotmail.com)
Date: 06/18/04
- Previous message: Harshal Dedhia: "RE: antivirus for linux"
- Maybe in reply to: Tim Schwimer: "Re: Strange pings from 127.0.0.1"
- Next in thread: Ranjeet Shetye: "Re: Strange pings from 127.0.0.1"
- Reply: Ranjeet Shetye: "Re: Strange pings from 127.0.0.1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: talukdar_m@subway.com, security-basics@securityfocus.com Date: Fri, 18 Jun 2004 02:26:07 +0000
Not yet. Doesn't sound like you're having the same issue though. Mine is all
ICMP traffic, all sourced from the loopback, but destined to several
different host IP's. In addition, the source and dest MAC are always the
same regardless of the IP's.
I'm fairly certain that I've got a compromised host, but with the source IP
being a loopback, I've got no way of deducing which host.
>From: Murad Talukdar <talukdar_m@subway.com>
>To: Tim Schwimer <tschwimer@hotmail.com>, security-basics@securityfocus.com
>Subject: Re: Strange pings from 127.0.0.1
>Date: Fri, 18 Jun 2004 09:43:07 +1000
>
>I've been getting this on my router logs saying that the tcp got dropped.
> Source:127.0.0.1, 80, WAN - Destination:210.80.144.150, 1912, LAN -
>'Suspicious TCP Data'
>
>Did you work out what it was with the pings? Not sure if it's similar or
>not.
>
>Murad Talukdar
>
>
>----- Original Message -----
>From: "Tim Schwimer" <tschwimer@hotmail.com>
>To: <security-basics@securityfocus.com>
>Sent: Sunday, June 13, 2004 5:24 PM
>Subject: Re: Strange pings from 127.0.0.1
>
>
> > In-Reply-To: <GAEPLEDFDDGJLBGAABCNKENBCMAA.gg@stober.mailsnare.net>
> >
> > I started seeing the same thing on my DMZ segments this Friday afternoon
>at about 4:00pm (figures, huh??). Anyway, I was wondering what you found
>out
>about this. Any insight would be appreciated.
> > Thanks,
> > T
> > >Received: (qmail 20239 invoked from network); 14 May 2004 15:58:54
>-0000
> > >Received: from outgoing.securityfocus.com (HELO
>outgoing2.securityfocus.com) (205.206.231.26)
> > > by mail.securityfocus.com with SMTP; 14 May 2004 15:58:54 -0000
> > >Received: from lists.securityfocus.com (lists.securityfocus.com
>[205.206.231.19])
> > > by outgoing2.securityfocus.com (Postfix) with QMQP
> > > id 4018A1437B0; Fri, 14 May 2004 17:53:53 -0600 (MDT)
> > >Mailing-List: contact security-basics-help@securityfocus.com; run by
>ezmlm
> > >Precedence: bulk
> > >List-Id: <security-basics.list-id.securityfocus.com>
> > >List-Post: <mailto:security-basics@securityfocus.com>
> > >List-Help: <mailto:security-basics-help@securityfocus.com>
> > >List-Unsubscribe:
><mailto:security-basics-unsubscribe@securityfocus.com>
> > >List-Subscribe: <mailto:security-basics-subscribe@securityfocus.com>
> > >Delivered-To: mailing list security-basics@securityfocus.com
> > >Delivered-To: moderator for security-basics@securityfocus.com
> > >Received: (qmail 13781 invoked from network); 13 May 2004 21:45:06
>-0000
> > >From: "Marc" <gg@stober.mailsnare.net>
> > >To: <security-basics@securityfocus.com>
> > >Subject: Strange pings from 127.0.0.1
> > >Date: Thu, 13 May 2004 23:55:35 -0400
> > >Message-ID: <GAEPLEDFDDGJLBGAABCNKENBCMAA.gg@stober.mailsnare.net>
> > >MIME-Version: 1.0
> > >Content-Type: text/plain;
> > > charset="iso-8859-1"
> > >Content-Transfer-Encoding: 7bit
> > >X-Priority: 3 (Normal)
> > >X-MSMail-Priority: Normal
> > >X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
> > >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> > >Importance: Normal
> > >
> > >
> > >The networked applications I am responsbile for have been performing
>slowly.
> > >When I tried to run Ethereal on my computer, I found some odd ICMP echo
> > >request (ping) packets with a source IP of 127.0.01, to addresses both
> > >within our 192.168.1.* network as well as to random Internet addresses.
>The
> > >source and destination Mac addresses aren't anything I can associate
>with
>a
> > >computer on our network (and they're not the real Mac address of my
> > >computer), so I think maybe these packets are spoofed? Could this be
>some
> > >sort of virus or DOS attack somewhere within our network? I've haven't
>seen
> > >anything quite like this mentioned online anywhere.
> > >
> > >Thanks, Marc
> > >
> > >
> >
> >---------------------------------------------------------------------------
> > >Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
>off
> > >any course! All of our class sizes are guaranteed to be 10 students or
>less
> > >to facilitate one-on-one interaction with one of our expert
>instructors.
> > >Attend a course taught by an expert instructor with years of
>in-the-field
> > >pen testing experience in our state of the art hacking lab. Master the
>skills
> > >of an Ethical Hacker to better assess the security of your
>organization.
> > >Visit us at:
> > >http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> >
> >---------------------------------------------------------------------------
>-
> > >
> > >
> >
> >
>--------------------------------------------------------------------------
>-
> > Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
>off
> > any course! All of our class sizes are guaranteed to be 10 students or
>less
> > to facilitate one-on-one interaction with one of our expert instructors.
> > Attend a course taught by an expert instructor with years of
>in-the-field
> > pen testing experience in our state of the art hacking lab. Master the
>skills
> > of an Ethical Hacker to better assess the security of your organization.
> > Visit us at:
> > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> >
>--------------------------------------------------------------------------
>--
> >
> >
>
>
_________________________________________________________________
Watch the online reality show Mixed Messages with a friend and enter to win
a trip to NY
http://www.msnmessenger-download.click-url.com/go/onm00200497ave/direct/01/
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
- Previous message: Harshal Dedhia: "RE: antivirus for linux"
- Maybe in reply to: Tim Schwimer: "Re: Strange pings from 127.0.0.1"
- Next in thread: Ranjeet Shetye: "Re: Strange pings from 127.0.0.1"
- Reply: Ranjeet Shetye: "Re: Strange pings from 127.0.0.1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
