Strange pings from 127.0.0.1

From: Andrew Aris (andrew_at_dev.bigfishinternet.co.uk)
Date: 06/21/04

Next message: Ranjeet Shetye: "Re: False negative on anti sniffing programme."

Previous message: Bénoni MARTIN: "ASP security in HTML pages"
Next in thread: Tim Schwimer: "Re: Strange pings from 127.0.0.1"
Maybe reply: Tim Schwimer: "Re: Strange pings from 127.0.0.1"
Maybe reply: Timothy Schwimer: "Re: Strange pings from 127.0.0.1"
Reply: Alan Hicks: "Re: Strange pings from 127.0.0.1"
Reply: Kelly John Rose: "Re: Strange pings from 127.0.0.1"
Maybe reply: Tim Schwimer: "Re: Strange pings from 127.0.0.1"
Maybe reply: Steven Trewick: "RE: Strange pings from 127.0.0.1"
Maybe reply: Timothy Schwimer: "RE: Strange pings from 127.0.0.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <security-basics@securityfocus.com>
Date: Mon, 21 Jun 2004 15:17:18 +0100

I'm coming into this thread partway through so sorry if this is a dumb reply
but if the mAC address is always the same then surely this could be used to
trace the culprit host?

> -----Original Message-----
> From: Timothy Schwimer [mailto:tschwimer@hotmail.com]
> Sent: 18 June 2004 03:26
> To: talukdar_m@subway.com; security-basics@securityfocus.com
> Subject: Re: Strange pings from 127.0.0.1
>
> Not yet. Doesn't sound like you're having the same issue though. Mine
> is all ICMP traffic, all sourced from the loopback, but destined to
> several different host IP's. In addition, the source and dest MAC are
> always the same regardless of the IP's.
> I'm fairly certain that I've got a compromised host, but with the
> source IP being a loopback, I've got no way of deducing which host.
>
>
> >From: Murad Talukdar <talukdar_m@subway.com>
> >To: Tim Schwimer <tschwimer@hotmail.com>,
> >security-basics@securityfocus.com
> >Subject: Re: Strange pings from 127.0.0.1
> >Date: Fri, 18 Jun 2004 09:43:07 +1000
> >
> >I've been getting this on my router logs saying that the tcp
> got dropped.
> > Source:127.0.0.1, 80, WAN - Destination:210.80.144.150,
> 1912, LAN -
> >'Suspicious TCP Data'
> >
> >Did you work out what it was with the pings? Not sure if
> it's similar
> >or not.
> >
> >Murad Talukdar
> >
> >
> >----- Original Message -----
> >From: "Tim Schwimer" <tschwimer@hotmail.com>
> >To: <security-basics@securityfocus.com>
> >Sent: Sunday, June 13, 2004 5:24 PM
> >Subject: Re: Strange pings from 127.0.0.1
> >
> >
> > > In-Reply-To:
> <GAEPLEDFDDGJLBGAABCNKENBCMAA.gg@stober.mailsnare.net>
> > >
> > > I started seeing the same thing on my DMZ segments this Friday
> > > afternoon
> >at about 4:00pm (figures, huh??). Anyway, I was wondering what you
> >found out about this. Any insight would be appreciated.
> > > Thanks,
> > > T
> > > >Received: (qmail 20239 invoked from network); 14 May
> 2004 15:58:54
> >-0000
> > > >Received: from outgoing.securityfocus.com (HELO
> >outgoing2.securityfocus.com) (205.206.231.26)
> > > > by mail.securityfocus.com with SMTP; 14 May 2004 15:58:54 -0000
> > > >Received: from lists.securityfocus.com (lists.securityfocus.com
> >[205.206.231.19])
> > > > by outgoing2.securityfocus.com (Postfix) with QMQP id
> > > >4018A1437B0; Fri, 14 May 2004 17:53:53 -0600 (MDT)
> > > >Mailing-List: contact
> security-basics-help@securityfocus.com; run
> > > >by
> >ezmlm
> > > >Precedence: bulk
> > > >List-Id: <security-basics.list-id.securityfocus.com>
> > > >List-Post: <mailto:security-basics@securityfocus.com>
> > > >List-Help: <mailto:security-basics-help@securityfocus.com>
> > > >List-Unsubscribe:
> ><mailto:security-basics-unsubscribe@securityfocus.com>
> > > >List-Subscribe:
> > > ><mailto:security-basics-subscribe@securityfocus.com>
> > > >Delivered-To: mailing list security-basics@securityfocus.com
> > > >Delivered-To: moderator for security-basics@securityfocus.com
> > > >Received: (qmail 13781 invoked from network); 13 May
> 2004 21:45:06
> >-0000
> > > >From: "Marc" <gg@stober.mailsnare.net>
> > > >To: <security-basics@securityfocus.com>
> > > >Subject: Strange pings from 127.0.0.1
> > > >Date: Thu, 13 May 2004 23:55:35 -0400
> > > >Message-ID:
> <GAEPLEDFDDGJLBGAABCNKENBCMAA.gg@stober.mailsnare.net>
> > > >MIME-Version: 1.0
> > > >Content-Type: text/plain;
> > > > charset="iso-8859-1"
> > > >Content-Transfer-Encoding: 7bit
> > > >X-Priority: 3 (Normal)
> > > >X-MSMail-Priority: Normal
> > > >X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
> > > >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> > > >Importance: Normal
> > > >
> > > >
> > > >The networked applications I am responsbile for have been
> > > >performing
> >slowly.
> > > >When I tried to run Ethereal on my computer, I found
> some odd ICMP
> > > >echo request (ping) packets with a source IP of 127.0.01, to
> > > >addresses both within our 192.168.1.* network as well as
> to random Internet addresses.
> >The
> > > >source and destination Mac addresses aren't anything I can
> > > >associate
> >with
> >a
> > > >computer on our network (and they're not the real Mac
> address of my
> > > >computer), so I think maybe these packets are spoofed?
> Could this
> > > >be
> >some
> > > >sort of virus or DOS attack somewhere within our network? I've
> > > >haven't
> >seen
> > > >anything quite like this mentioned online anywhere.
> > > >
> > > >Thanks, Marc
> > > >
> > > >
> > >
> >
> >---------------------------------------------------------------------
> > >------
> > > >Ethical Hacking at the InfoSec Institute. Mention this
> ad and get
> > > >$545
> >off
> > > >any course! All of our class sizes are guaranteed to be
> 10 students
> > > >or
> >less
> > > >to facilitate one-on-one interaction with one of our expert
> >instructors.
> > > >Attend a course taught by an expert instructor with years of
> >in-the-field
> > > >pen testing experience in our state of the art hacking
> lab. Master
> > > >the
> >skills
> > > >of an Ethical Hacker to better assess the security of your
> >organization.
> > > >Visit us at:
> > >
> >http://www.infosecinstitute.com/courses/ethical_hacking_training.ht
> > > >ml
> > >
> >
> >---------------------------------------------------------------------
> > >------
> >-
> > > >
> > > >
> > >
> > >
> >-------------------------------------------------------------
> ----------
> >---
> >-
> > > Ethical Hacking at the InfoSec Institute. Mention this ad and get
> > > $545
> >off
> > > any course! All of our class sizes are guaranteed to be
> 10 students
> > > or
> >less
> > > to facilitate one-on-one interaction with one of our
> expert instructors.
> > > Attend a course taught by an expert instructor with years of
> >in-the-field
> > > pen testing experience in our state of the art hacking
> lab. Master
> > > the
> >skills
> > > of an Ethical Hacker to better assess the security of
> your organization.
> > > Visit us at:
> > >
> http://www.infosecinstitute.com/courses/ethical_hacking_training.htm
> > > l
> > >
> >-------------------------------------------------------------
> ----------
> >---
> >--
> > >
> > >
> >
> >
>
> _________________________________________________________________
> Watch the online reality show Mixed Messages with a friend and enter
> to win a trip to NY
> http://www.msnmessenger-download.click-url.com/go/onm00200497a
> ve/direct/01/
>
>
> --------------------------------------------------------------
> -------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
> off any course! All of our class sizes are guaranteed to be 10
> students or less to facilitate one-on-one interaction with one of our
> expert instructors.
> Attend a course taught by an expert instructor with years of
> in-the-field pen testing experience in our state of the art hacking
> lab. Master the skills of an Ethical Hacker to better assess the
> security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------
> --------------
>
>
>

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Next message: Ranjeet Shetye: "Re: False negative on anti sniffing programme."

Previous message: Bénoni MARTIN: "ASP security in HTML pages"
Next in thread: Tim Schwimer: "Re: Strange pings from 127.0.0.1"
Maybe reply: Tim Schwimer: "Re: Strange pings from 127.0.0.1"
Maybe reply: Timothy Schwimer: "Re: Strange pings from 127.0.0.1"
Reply: Alan Hicks: "Re: Strange pings from 127.0.0.1"
Reply: Kelly John Rose: "Re: Strange pings from 127.0.0.1"
Maybe reply: Tim Schwimer: "Re: Strange pings from 127.0.0.1"
Maybe reply: Steven Trewick: "RE: Strange pings from 127.0.0.1"
Maybe reply: Timothy Schwimer: "RE: Strange pings from 127.0.0.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]