Re: ICMP - What the hell are these log files telling me.....

From: Maxime Ducharme (maxime_at_pandore-designSPAMISBAD.com)
Date: 10/30/03

• Next message: Maxime Ducharme: "Re: Port Scans coming from my IP"
• Previous message: Maxime Ducharme: "Re: sniffer black box"
• In reply to: Gary Brett: "ICMP - What the hell are these log files telling me....."
• Next in thread: Gary Brett: "Re: ICMP - What the hell are these log files telling me....."
• Reply: Gary Brett: "Re: ICMP - What the hell are these log files telling me....."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 30 Oct 2003 10:25:47 -0500

The worm Welchia do ping scans (ICMP type 8) before trying
to infect foreign hosts.

There are surely lots of these, and manual scans too.

I get 250 hits per day for this worm.

You may confirm this by sniffing packets & looking at the ping payload,
Welchia sends 64 bytes of 'a' char.

ref :
http://securityresponse.symantec.com/avcenter/venc/data/detecting.traffic.due.to.rpc.worms.html

Ciao

---------------------------------------------------------------
  Maxime Ducharme
  Administrateur reseau, Programmeur

"Gary Brett" <globalg2001@yahoo.co.uk> wrote in message
news:5b221b4d.0310300542.3dd99896@posting.google.com...
> Hi.
> After reading many of the responses on newsgroups I cannot define
> exactly what is happening inside my SonicWALL SOHO3. I am getting
> around 400 of these mesages a day and my log file is huge. The message
> is as follows:
> 10/30/2003 09:50:52.608 ICMP packet dropped
> Source - 217.205.240.222, 8, WAN
> Destination - 216.215.176.33, WAN Ping,
> Code: 0 Rule - 8
> Rule 8 on the SW is to "Deny anthing from WAN to LAN" and
> 216.215.176.33 is my SW public IP address. This firewall is at the end
> of a 2MB leased line and sits in front of my LAN but behind a Cisco
> router installed by the leased line providers.
>
> Any help appreciated & thanx for your time

---

• Next message: Maxime Ducharme: "Re: Port Scans coming from my IP"
• Previous message: Maxime Ducharme: "Re: sniffer black box"
• In reply to: Gary Brett: "ICMP - What the hell are these log files telling me....."
• Next in thread: Gary Brett: "Re: ICMP - What the hell are these log files telling me....."
• Reply: Gary Brett: "Re: ICMP - What the hell are these log files telling me....."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Cant access WAN IPs with Cayman and SBC ... Re the mail server. ... Shouldn't at least one of them respond to a ping? ... Check the logs on your router, and see if the packets were even detected. ... ICMP type 11 errors from the intermediate hops. ... (comp.security.firewalls) cross platform ping module ... 'ping' functionality, i mean sending icmp type 8 code 0 and receiving ... access to make program suid. ... Is someone here interested in this functionality, ... (comp.lang.python) Re: Win32 Kernel... ... > core component trying to send an ICMP Type 0 packet to ... Your computer would not send an ICMP Type I ping out unless you requested ... computer is owned by malicious hackers. ... (comp.security.firewalls) Re: icmp alert from my router ... ICMP type 8 ... is an echo request (outbound ping packet). ... (Security-Basics)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)