Strange pings from 127.0.0.1

From: Andrew Aris (andrew_at_dev.bigfishinternet.co.uk)
Date: 06/21/04

  • Next message: Ranjeet Shetye: "Re: False negative on anti sniffing programme."
    To: <security-basics@securityfocus.com>
    Date: Mon, 21 Jun 2004 15:17:18 +0100
    
    

    I'm coming into this thread partway through so sorry if this is a dumb reply
    but if the mAC address is always the same then surely this could be used to
    trace the culprit host?

    > -----Original Message-----
    > From: Timothy Schwimer [mailto:tschwimer@hotmail.com]
    > Sent: 18 June 2004 03:26
    > To: talukdar_m@subway.com; security-basics@securityfocus.com
    > Subject: Re: Strange pings from 127.0.0.1
    >
    > Not yet. Doesn't sound like you're having the same issue though. Mine
    > is all ICMP traffic, all sourced from the loopback, but destined to
    > several different host IP's. In addition, the source and dest MAC are
    > always the same regardless of the IP's.
    > I'm fairly certain that I've got a compromised host, but with the
    > source IP being a loopback, I've got no way of deducing which host.
    >
    >
    > >From: Murad Talukdar <talukdar_m@subway.com>
    > >To: Tim Schwimer <tschwimer@hotmail.com>,
    > >security-basics@securityfocus.com
    > >Subject: Re: Strange pings from 127.0.0.1
    > >Date: Fri, 18 Jun 2004 09:43:07 +1000
    > >
    > >I've been getting this on my router logs saying that the tcp
    > got dropped.
    > > Source:127.0.0.1, 80, WAN - Destination:210.80.144.150,
    > 1912, LAN -
    > >'Suspicious TCP Data'
    > >
    > >Did you work out what it was with the pings? Not sure if
    > it's similar
    > >or not.
    > >
    > >Murad Talukdar
    > >
    > >
    > >----- Original Message -----
    > >From: "Tim Schwimer" <tschwimer@hotmail.com>
    > >To: <security-basics@securityfocus.com>
    > >Sent: Sunday, June 13, 2004 5:24 PM
    > >Subject: Re: Strange pings from 127.0.0.1
    > >
    > >
    > > > In-Reply-To:
    > <GAEPLEDFDDGJLBGAABCNKENBCMAA.gg@stober.mailsnare.net>
    > > >
    > > > I started seeing the same thing on my DMZ segments this Friday
    > > > afternoon
    > >at about 4:00pm (figures, huh??). Anyway, I was wondering what you
    > >found out about this. Any insight would be appreciated.
    > > > Thanks,
    > > > T
    > > > >Received: (qmail 20239 invoked from network); 14 May
    > 2004 15:58:54
    > >-0000
    > > > >Received: from outgoing.securityfocus.com (HELO
    > >outgoing2.securityfocus.com) (205.206.231.26)
    > > > > by mail.securityfocus.com with SMTP; 14 May 2004 15:58:54 -0000
    > > > >Received: from lists.securityfocus.com (lists.securityfocus.com
    > >[205.206.231.19])
    > > > > by outgoing2.securityfocus.com (Postfix) with QMQP id
    > > > >4018A1437B0; Fri, 14 May 2004 17:53:53 -0600 (MDT)
    > > > >Mailing-List: contact
    > security-basics-help@securityfocus.com; run
    > > > >by
    > >ezmlm
    > > > >Precedence: bulk
    > > > >List-Id: <security-basics.list-id.securityfocus.com>
    > > > >List-Post: <mailto:security-basics@securityfocus.com>
    > > > >List-Help: <mailto:security-basics-help@securityfocus.com>
    > > > >List-Unsubscribe:
    > ><mailto:security-basics-unsubscribe@securityfocus.com>
    > > > >List-Subscribe:
    > > > ><mailto:security-basics-subscribe@securityfocus.com>
    > > > >Delivered-To: mailing list security-basics@securityfocus.com
    > > > >Delivered-To: moderator for security-basics@securityfocus.com
    > > > >Received: (qmail 13781 invoked from network); 13 May
    > 2004 21:45:06
    > >-0000
    > > > >From: "Marc" <gg@stober.mailsnare.net>
    > > > >To: <security-basics@securityfocus.com>
    > > > >Subject: Strange pings from 127.0.0.1
    > > > >Date: Thu, 13 May 2004 23:55:35 -0400
    > > > >Message-ID:
    > <GAEPLEDFDDGJLBGAABCNKENBCMAA.gg@stober.mailsnare.net>
    > > > >MIME-Version: 1.0
    > > > >Content-Type: text/plain;
    > > > > charset="iso-8859-1"
    > > > >Content-Transfer-Encoding: 7bit
    > > > >X-Priority: 3 (Normal)
    > > > >X-MSMail-Priority: Normal
    > > > >X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
    > > > >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
    > > > >Importance: Normal
    > > > >
    > > > >
    > > > >The networked applications I am responsbile for have been
    > > > >performing
    > >slowly.
    > > > >When I tried to run Ethereal on my computer, I found
    > some odd ICMP
    > > > >echo request (ping) packets with a source IP of 127.0.01, to
    > > > >addresses both within our 192.168.1.* network as well as
    > to random Internet addresses.
    > >The
    > > > >source and destination Mac addresses aren't anything I can
    > > > >associate
    > >with
    > >a
    > > > >computer on our network (and they're not the real Mac
    > address of my
    > > > >computer), so I think maybe these packets are spoofed?
    > Could this
    > > > >be
    > >some
    > > > >sort of virus or DOS attack somewhere within our network? I've
    > > > >haven't
    > >seen
    > > > >anything quite like this mentioned online anywhere.
    > > > >
    > > > >Thanks, Marc
    > > > >
    > > > >
    > > >
    > >
    > >---------------------------------------------------------------------
    > > >------
    > > > >Ethical Hacking at the InfoSec Institute. Mention this
    > ad and get
    > > > >$545
    > >off
    > > > >any course! All of our class sizes are guaranteed to be
    > 10 students
    > > > >or
    > >less
    > > > >to facilitate one-on-one interaction with one of our expert
    > >instructors.
    > > > >Attend a course taught by an expert instructor with years of
    > >in-the-field
    > > > >pen testing experience in our state of the art hacking
    > lab. Master
    > > > >the
    > >skills
    > > > >of an Ethical Hacker to better assess the security of your
    > >organization.
    > > > >Visit us at:
    > > >
    > >http://www.infosecinstitute.com/courses/ethical_hacking_training.ht
    > > > >ml
    > > >
    > >
    > >---------------------------------------------------------------------
    > > >------
    > >-
    > > > >
    > > > >
    > > >
    > > >
    > >-------------------------------------------------------------
    > ----------
    > >---
    > >-
    > > > Ethical Hacking at the InfoSec Institute. Mention this ad and get
    > > > $545
    > >off
    > > > any course! All of our class sizes are guaranteed to be
    > 10 students
    > > > or
    > >less
    > > > to facilitate one-on-one interaction with one of our
    > expert instructors.
    > > > Attend a course taught by an expert instructor with years of
    > >in-the-field
    > > > pen testing experience in our state of the art hacking
    > lab. Master
    > > > the
    > >skills
    > > > of an Ethical Hacker to better assess the security of
    > your organization.
    > > > Visit us at:
    > > >
    > http://www.infosecinstitute.com/courses/ethical_hacking_training.htm
    > > > l
    > > >
    > >-------------------------------------------------------------
    > ----------
    > >---
    > >--
    > > >
    > > >
    > >
    > >
    >
    > _________________________________________________________________
    > Watch the online reality show Mixed Messages with a friend and enter
    > to win a trip to NY
    > http://www.msnmessenger-download.click-url.com/go/onm00200497a
    > ve/direct/01/
    >
    >
    > --------------------------------------------------------------
    > -------------
    > Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
    > off any course! All of our class sizes are guaranteed to be 10
    > students or less to facilitate one-on-one interaction with one of our
    > expert instructors.
    > Attend a course taught by an expert instructor with years of
    > in-the-field pen testing experience in our state of the art hacking
    > lab. Master the skills of an Ethical Hacker to better assess the
    > security of your organization.
    > Visit us at:
    > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    > --------------------------------------------------------------
    > --------------
    >
    >
    >

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------


  • Next message: Ranjeet Shetye: "Re: False negative on anti sniffing programme."

    Relevant Pages

    • Windows SUS
      ... You can read the solution in paragraph Deploying the Automatic Updates Client on doc document here: ... > Ethical Hacking at the InfoSec Institute. ... > expert instructors. ... > Attend a course taught by an expert instructor with years of ...
      (Security-Basics)
    • RE: Windows SUS
      ... I had done all that and the SUS is running on client as expected. ... > Ethical Hacking at the InfoSec Institute. ... > expert instructors. ... > Attend a course taught by an expert instructor with years of ...
      (Security-Basics)
    • RE: Network spyware detection
      ... > Ethical Hacking at the InfoSec Institute. ... > expert instructors. ... > Attend a course taught by an expert instructor with ... > pen testing experience in our state of the art ...
      (Security-Basics)
    • RE: Removing Local Admin Rights...
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • RE: HIPAA_Compliance
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)