[Dshield] ICMP increase

George Theall theall at tifaware.com
Mon Aug 18 14:05:30 GMT 2003


On Mon, Aug 18, 2003 at 10:47:04PM +1000, Luke Matchett wrote:

> About 24 hours ago my snort logs began recording the following message 
> "ICMP PING CyberKit 2.2 Windows" . 

Following these, I am seeing connections to web servers with requests for
the default homepages.  Eg,

in Snort log:
Aug 18 09:47:08 badger snort: [1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity] [Priority: 3]: {ICMP} 218.14.112.59 -> xxx.xxx.xxx.xxx

in apache log:
218.14.112.59 - - [18/Aug/2003:09:47:12 -0400] "GET / HTTP/1.1" 200 4551 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"

It started here yesterday at 10 pm EDT, and many but by no means all of
the hosts seem to be from APNIC. 

I wonder if there's a new worm targetting web servers.


George
-- 
theall at tifaware.com




More information about the list mailing list