RE: Strange pings from 127.0.0.1

From: David Gillett (gillettdavid_at_fhda.edu)
Date: 06/24/04

  • Next message: Coward, Robert (Contractor): "Re: Disaster Recovery Plan" 
    To: "'Tim Schwimer'" <tschwimer@hotmail.com>, <security-basics@securityfocus.com>
Date: Thu, 24 Jun 2004 12:37:19 -0700

      I believe some Cisco gear has used DEC chipsets. Check the
    MAC addresses of your router -- if it's a match, then you know
    this traffic is coming from outside.

    David Gillett

    > -----Original Message-----
    > From: Tim Schwimer [mailto:tschwimer@hotmail.com]
    > Sent: Thursday, June 24, 2004 9:24 AM
    > To: security-basics@securityfocus.com
    > Subject: Re: Strange pings from 127.0.0.1
    >
    >
    > In-Reply-To: <20040618220642.GA17943@ranjeet-pc2.zultys.com>
    >
    > Thanks for the suggestions. I'll look into seeing if I can't
    > trace down the infected device by assuming any target host is
    > not the source.
    > As for the MAC, it just doesn't make any sense to me. I know
    > that they are DEC addresses, and that we do not have any
    > devices with DEC NIC's. Nor do they show up in the CAM table
    > on the switch. In addition, port security is turned on for
    > every active port on the switch. One would think that a
    > packet with an invlaid source MAC seen by the switch would
    > cause a port violation and shut the port down.
    > One of the problems I'm having is the code on the switch is
    > very old. I've been trying to get it updated but am limited
    > being that it's a 24x7 production environment (that and the
    > fact that no one else seems to care about the issue!!!). So I
    > am not convinced that the issue is not being exacerbated by
    > some anomolous behavior of the switch. Strange part about it
    > though is that while I see the traffic on multiple segments,
    > I do not see it on every port in those segments.
    > In addition, while I see it both tx and rx on all of my FW
    > ports, tcpdump on the FW indicates that it is not seeing any
    > of the traffic at all. Likewise, rules on the FW to block all
    > of the traffic do not get any hits at all.
    > Keep the thoughts coming guys. I appreciate it.
    > -t
    >
    > >Received: (qmail 13316 invoked from network); 22 Jun 2004
    > 15:45:39 -0000
    > >Received: from outgoing.securityfocus.com (HELO
    > outgoing3.securityfocus.com) (205.206.231.27)
    > > by mail.securityfocus.com with SMTP; 22 Jun 2004 15:45:39 -0000
    > >Received: from lists.securityfocus.com
    > (lists.securityfocus.com [205.206.231.19])
    > > by outgoing3.securityfocus.com (Postfix) with QMQP
    > > id 2014A237F39; Tue, 22 Jun 2004 03:00:50 -0600 (MDT)
    > >Mailing-List: contact
    > security-basics-help@securityfocus.com; run by ezmlm
    > >Precedence: bulk
    > >List-Id: <security-basics.list-id.securityfocus.com>
    > >List-Post: <mailto:security-basics@securityfocus.com>
    > >List-Help: <mailto:security-basics-help@securityfocus.com>
    > >List-Unsubscribe:
    > <mailto:security-basics-unsubscribe@securityfocus.com>
    > >List-Subscribe: <mailto:security-basics-subscribe@securityfocus.com>
    > >Delivered-To: mailing list security-basics@securityfocus.com
    > >Delivered-To: moderator for security-basics@securityfocus.com
    > >Received: (qmail 1849 invoked from network); 19 Jun 2004
    > 00:21:45 -0000
    > >Date: Fri, 18 Jun 2004 15:06:42 -0700
    > >From: Ranjeet Shetye <ranjeet.shetye2@zultys.com>
    > >To: security-basics@securityfocus.com
    > >Subject: Re: Strange pings from 127.0.0.1
    > >Message-ID: <20040618220642.GA17943@ranjeet-pc2.zultys.com>
    > >Mail-Followup-To: security-basics@securityfocus.com
    > >References: <BAY8-F267zD5J47Oksz00087f7d@hotmail.com>
    > >Mime-Version: 1.0
    > >Content-Type: text/plain; charset=us-ascii
    > >Content-Disposition: inline
    > >In-Reply-To: <BAY8-F267zD5J47Oksz00087f7d@hotmail.com>
    > >User-Agent: Mutt/1.5.6i
    > >
    > >
    > >consider a packet of the type
    > >
    > >Eth_DST=Eth_A
    > >Eth_SRC=Eth_B
    > >Eth_Type=IP
    > >IP_Src=127.0.0.1
    > >IP_Dst=IP_D
    > >
    > >On Linux - packets from localhost to a local IP dont make it onto the
    > >network. Assuming the same to be the case on Windows, any
    > target hosts
    > >(IP_D) that you see ICMPs for, are probably NOT the origin
    > of THIS packet.
    > >This might help you narrow the possible sources of the traffic.
    > >
    > >Next, (assuming non-promiscuous mode of operation by the
    > NIC) I fail to
    > >understand how the author of this attack intends to reach
    > his/her targets,
    > >if the dest MAC addresses are fake! I might be missing
    > something obvious,
    > >so if someone can point it out to me, that would be great. thanks.
    > >
    > >Instead of an attack, it might be that you have someone on
    > your network
    > >who is learning socket or libnet programming, and is testing his/her
    > >networking coding skills on the corporate network. That might explain
    > >the non-existant destination MAC addresses - which I admit
    > again, don't
    > >make a lot of sense to me.
    > >
    > >**Unless**, some kind of an ARP-poisoning scheme is being executed,
    > >so that switches are forced to forward all traffic on all
    > ports cos their
    > >internal arp tables are messed up.
    > >
    > >In which case, maybe you need to lock down the arp tables in
    > your managed
    > >switches, if you can.
    > >
    > >I am very curious about this traffic pattern, please let us know the
    > >answer once you've resolved it. thanks,
    > >
    > >--
    > >Ranjeet Shetye
    > >Senior Software Engineer
    > >Zultys Technologies
    > >Ranjeet dot Shetye at Zultys dot com
    > >http://www.zultys.com/
    > >
    > >The views, opinions, and judgements expressed in this
    > message are solely those of
    > >the author. The message contents have not been reviewed or
    > approved by Zultys.
    > >
    > >* Timothy Schwimer (tschwimer@hotmail.com) wrote:
    > >> Not yet. Doesn't sound like you're having the same issue
    > though. Mine is
    > >> all ICMP traffic, all sourced from the loopback, but
    > destined to several
    > >> different host IP's. In addition, the source and dest MAC
    > are always the
    > >> same regardless of the IP's.
    > >> I'm fairly certain that I've got a compromised host, but
    > with the source IP
    > >> being a loopback, I've got no way of deducing which host.
    > >>
    > >>
    > >> >From: Murad Talukdar <talukdar_m@subway.com>
    > >> >To: Tim Schwimer <tschwimer@hotmail.com>,
    > security-basics@securityfocus.com
    > >> >Subject: Re: Strange pings from 127.0.0.1
    > >> >Date: Fri, 18 Jun 2004 09:43:07 +1000
    > >> >
    > >> >I've been getting this on my router logs saying that the
    > tcp got dropped.
    > >> > Source:127.0.0.1, 80, WAN - Destination:210.80.144.150,
    > 1912, LAN -
    > >> >'Suspicious TCP Data'
    > >> >
    > >> >Did you work out what it was with the pings? Not sure if
    > it's similar or
    > >> >not.
    > >> >
    > >> >Murad Talukdar
    > >> >
    > >> >
    > >> >----- Original Message -----
    > >> >From: "Tim Schwimer" <tschwimer@hotmail.com>
    > >> >To: <security-basics@securityfocus.com>
    > >> >Sent: Sunday, June 13, 2004 5:24 PM
    > >> >Subject: Re: Strange pings from 127.0.0.1
    > >> >
    > >> >
    > >> >> In-Reply-To:
    > <GAEPLEDFDDGJLBGAABCNKENBCMAA.gg@stober.mailsnare.net>
    > >> >>
    > >> >> I started seeing the same thing on my DMZ segments this
    > Friday afternoon
    > >> >at about 4:00pm (figures, huh??). Anyway, I was wondering
    > what you found
    > >> >out
    > >> >about this. Any insight would be appreciated.
    > >> >> Thanks,
    > >> >> T
    > >> >> >Received: (qmail 20239 invoked from network); 14 May
    > 2004 15:58:54
    > >> >-0000
    > >> >> >Received: from outgoing.securityfocus.com (HELO
    > >> >outgoing2.securityfocus.com) (205.206.231.26)
    > >> >> > by mail.securityfocus.com with SMTP; 14 May 2004
    > 15:58:54 -0000
    > >> >> >Received: from lists.securityfocus.com (lists.securityfocus.com
    > >> >[205.206.231.19])
    > >> >> > by outgoing2.securityfocus.com (Postfix) with QMQP
    > >> >> > id 4018A1437B0; Fri, 14 May 2004 17:53:53 -0600 (MDT)
    > >> >> >Mailing-List: contact
    > security-basics-help@securityfocus.com; run by
    > >> >ezmlm
    > >> >> >Precedence: bulk
    > >> >> >List-Id: <security-basics.list-id.securityfocus.com>
    > >> >> >List-Post: <mailto:security-basics@securityfocus.com>
    > >> >> >List-Help: <mailto:security-basics-help@securityfocus.com>
    > >> >> >List-Unsubscribe:
    > >> ><mailto:security-basics-unsubscribe@securityfocus.com>
    > >> >> >List-Subscribe:
    > <mailto:security-basics-subscribe@securityfocus.com>
    > >> >> >Delivered-To: mailing list security-basics@securityfocus.com
    > >> >> >Delivered-To: moderator for security-basics@securityfocus.com
    > >> >> >Received: (qmail 13781 invoked from network); 13 May
    > 2004 21:45:06
    > >> >-0000
    > >> >> >From: "Marc" <gg@stober.mailsnare.net>
    > >> >> >To: <security-basics@securityfocus.com>
    > >> >> >Subject: Strange pings from 127.0.0.1
    > >> >> >Date: Thu, 13 May 2004 23:55:35 -0400
    > >> >> >Message-ID:
    > <GAEPLEDFDDGJLBGAABCNKENBCMAA.gg@stober.mailsnare.net>
    > >> >> >MIME-Version: 1.0
    > >> >> >Content-Type: text/plain;
    > >> >> > charset="iso-8859-1"
    > >> >> >Content-Transfer-Encoding: 7bit
    > >> >> >X-Priority: 3 (Normal)
    > >> >> >X-MSMail-Priority: Normal
    > >> >> >X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
    > >> >> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
    > >> >> >Importance: Normal
    > >> >> >
    > >> >> >
    > >> >> >The networked applications I am responsbile for have
    > been performing
    > >> >slowly.
    > >> >> >When I tried to run Ethereal on my computer, I found
    > some odd ICMP echo
    > >> >> >request (ping) packets with a source IP of 127.0.01,
    > to addresses both
    > >> >> >within our 192.168.1.* network as well as to random
    > Internet addresses.
    > >> >The
    > >> >> >source and destination Mac addresses aren't anything I
    > can associate
    > >> >with
    > >> >a
    > >> >> >computer on our network (and they're not the real Mac
    > address of my
    > >> >> >computer), so I think maybe these packets are spoofed?
    > Could this be
    > >> >some
    > >> >> >sort of virus or DOS attack somewhere within our
    > network? I've haven't
    > >> >seen
    > >> >> >anything quite like this mentioned online anywhere.
    > >> >> >
    > >> >> >Thanks, Marc
    > >> >> >
    > >> >> >
    > >> >>
    > >>
    > >>------------------------------------------------------------
    > ---------------
    > >> >> >Ethical Hacking at the InfoSec Institute. Mention this
    > ad and get $545
    > >> >off
    > >> >> >any course! All of our class sizes are guaranteed to
    > be 10 students or
    > >> >less
    > >> >> >to facilitate one-on-one interaction with one of our expert
    > >> >instructors.
    > >> >> >Attend a course taught by an expert instructor with years of
    > >> >in-the-field
    > >> >> >pen testing experience in our state of the art hacking
    > lab. Master the
    > >> >skills
    > >> >> >of an Ethical Hacker to better assess the security of your
    > >> >organization.
    > >> >> >Visit us at:
    > >> >>
    > >http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    > >> >>
    > >>
    > >>------------------------------------------------------------
    > ---------------
    > >> >-
    > >> >> >
    > >> >> >
    > >> >>
    > >> >>
    > >>
    > >-------------------------------------------------------------
    > -------------
    > >> >-
    > >> >> Ethical Hacking at the InfoSec Institute. Mention this
    > ad and get $545
    > >> >off
    > >> >> any course! All of our class sizes are guaranteed to be
    > 10 students or
    > >> >less
    > >> >> to facilitate one-on-one interaction with one of our
    > expert instructors.
    > >> >> Attend a course taught by an expert instructor with years of
    > >> >in-the-field
    > >> >> pen testing experience in our state of the art hacking
    > lab. Master the
    > >> >skills
    > >> >> of an Ethical Hacker to better assess the security of
    > your organization.
    > >> >> Visit us at:
    > >> >>
    > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    > >> >>
    > >>
    > >-------------------------------------------------------------
    > -------------
    > >> >--
    > >> >>
    > >> >>
    > >> >
    > >> >
    > >>
    > >> _________________________________________________________________
    > >> Watch the online reality show Mixed Messages with a friend
    > and enter to win
    > >> a trip to NY
    > >>
    > http://www.msnmessenger-download.click-url.com/go/onm00200497a
    ve/direct/01/
    >>
    >>
    >> ------------------------------------------------------------------------- 

    --
>> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off
>> any course! All of our class sizes are guaranteed to be 10 students or
less
>> to facilitate one-on-one interaction with one of our expert instructors.
>> Attend a course taught by an expert instructor with years of in-the-field
>> pen testing experience in our state of the art hacking lab. Master the
>> skills of an Ethical Hacker to better assess the security of your
>> organization. Visit us at:
>> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>> -------------------------------------------------------------------------
---
>>
>
>---------------------------------------------------------------------------
>Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
>any course! All of our class sizes are guaranteed to be 10 students or less
>to facilitate one-on-one interaction with one of our expert instruct
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
  • Next message: Coward, Robert (Contractor): "Re: Disaster Recovery Plan"