[Dshield] New Nimda ?

Dean White dean at achillean.com.au
Thu Jul 11 15:38:57 GMT 2002

Just as a side note, do remember that for PATH MTU discovery one implementation
of the RFC says the remote system can use ICMP ping to determine the MTU size.

IBM AIX 4.3 is an example of a system which uses this to determine MTU size.

Whilst this may not be the case in this circumstance, it is important to 
remember where responses like this are seen.

Dean White
Asia-Pac Incident Co-ordinator
SANS Incidents.org

On Thu, Jul 11, 2002 at 08:16:52AM -0400, Johannes Ullrich wrote:
> Can you post any full packets / web logs so we can see if it is somehow different?
> The 'ping back' is certainly odd, but it could be caused by some load balancing 
> device (hehe.... they try to optimize nimda by sending it through a load balancer)
> On Thu, 11 Jul 2002 15:45:26 +1000
> "Malcolm Joosse" <malcolm at hotlinesupport.com> wrote:
> > Hello All,
> > Thank you for everyone submitting to this list, I have learnt alot from the brain trust that activly submits to this list.
> > 
> > I am currently being attacked by a site on Port 80.  It looks like Nimda and is busy scanning our /22 range, but our firewall  is doing its job.  The weird thing is that when I pingged the attacking host it instantly replyed with 10 ICMP ping packets back to the IP I was pinging from.  Is this a new Nimda varient that I have not heard about ?
> > I tried from 3 different hosts and each time I got reversed pingged by the attacking host.
> > Very weird.
> > Thanks
> > Malcolm
> > 
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> -- 
> ---------------------------------------------------------------
> jullrich at sans.org             Collaborative Intrusion Detection
>                                     join http://www.dshield.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20020711/19a35a43/attachment.bin

More information about the list mailing list