Re: ICMP - What the hell are these log files telling me.....

From: Gary Brett (globalg2001_at_yahoo.co.uk)
Date: 10/31/03

• Next message: Gary Brett: "Sockets De Trois V1"
• Previous message: CBP: "Re: BlackICE Uninstall/Install problems!!!"
• In reply to: Maxime Ducharme: "Re: ICMP - What the hell are these log files telling me....."
• Next in thread: Maxime Ducharme: "Re: ICMP - What the hell are these log files telling me....."
• Reply: Maxime Ducharme: "Re: ICMP - What the hell are these log files telling me....."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 31 Oct 2003 02:02:26 -0800

Thanx for the response.
Will check the sugggestion out. Is it a good idea to turn off logging
of ICMP on the SonicWALL, to reduce the log files do you think?

Also after I wrote the original message I discovered I had a "Sockets
De Trois V1" trojan on all my LAN XP Pro machines. I have since closed
port 5000 on the Firewall and have disabled "SSDP Discovery Service"
in WinXP Services. This seems to have stopped the Trojan, but do you
know how it entered the LAN and what it actaully does when inside.

Again thanx for your time..

Gary

> The worm Welchia do ping scans (ICMP type 8) before trying
> to infect foreign hosts.
>
> There are surely lots of these, and manual scans too.
>
> I get 250 hits per day for this worm.
>
> You may confirm this by sniffing packets & looking at the ping payload,
> Welchia sends 64 bytes of 'a' char.
>
> ref :
> http://securityresponse.symantec.com/avcenter/venc/data/detecting.traffic.due.to.rpc.worms.html
>
> Ciao
>
> ---------------------------------------------------------------
> Maxime Ducharme
> Administrateur reseau, Programmeur
>

---

• Next message: Gary Brett: "Sockets De Trois V1"
• Previous message: CBP: "Re: BlackICE Uninstall/Install problems!!!"
• In reply to: Maxime Ducharme: "Re: ICMP - What the hell are these log files telling me....."
• Next in thread: Maxime Ducharme: "Re: ICMP - What the hell are these log files telling me....."
• Reply: Maxime Ducharme: "Re: ICMP - What the hell are these log files telling me....."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: ICMP - What the hell are these log files telling me..... ... > it is a good idea to limit 'em in case you're flooded with ICMP ping, ... >> in WinXP Services. ... >> know how it entered the LAN and what it actaully does when inside. ... caught the Trojan.. ... (comp.security.firewalls) Sockets De Trois V1 ... I have since closed port 5000 on ... the Firewall and have disabled "SSDP Discovery Service" in WinXP ... This seems to have stopped the Trojan, ... it entered the LAN and what it actaully does when inside. ... (comp.security.firewalls) Re: Network Connections folder problem ! ... SSDP Discovery Service is running. ... No firewall between (PC & Laptop on same LAN, ... SSDP Discovery Service host disabled...again PC & ... (microsoft.public.windowsxp.network_web) Re: Sockets De Trois V1 ... I have since closed port 5000 on ... This seems to have stopped the Trojan, ... > it entered the LAN and what it actaully does when inside. ... that with port 5000 open, it's possible one reason could be Sockets de Trois ... (comp.security.firewalls) Re: Is it OK to allow rundll32.exe and svchost.exe to have free reign? ... >I'm running my LAN through a Linksys BEFSR41 router with Norton Internet ... >Security on each local PC. ... As for the Trojan, it has to be loaded onto your computer to do its ... (comp.security.firewalls)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)