[Dshield] FW: [TSRadar] Blip: ICMP and Port TCP/135

Jose Vicente Nunez Z josevnz at newbreak.com
Mon Aug 18 15:38:10 GMT 2003


We are getting a lot of hits too. This is a sample of the SNMP Snort
alerts we are getting:

Info:          ICMP PING CyberKit 2.2 Windows
Reference:     
Ofender:       216.157.236.6
Afected:       XXXXXXXXXXXXX
Impact:        1
Reporter:      ZZZZZZZZZZZZZ
Time sent:     Monday, August 18, 2003 10:53:20 AM EDT
Severity:      Indeterminate

Impact legend:
1 - unknown
2 - badUnknown
3 - notSuspicious
4 - attemptedAdmin
5 - successfulAdmin
6 - attemptedDos
7 - successfulDos
8 - attemptedRecon
9 - successfulReconLimited
10 - successfulReconLargescale
11 - attemptedUser
12 - successfulUser

On Mon, 2003-08-18 at 10:44, Wayne Beckham wrote:
> Trusecure has an alert out concerning the recent surge in ICMP probes.
> 
> - Wayne
> 
> -----Original Message-----
> From: "Kennedy, David" <dkennedy at trusecure.com> 
> Sent: Monday, August 18, 2003 7:37 AM
> To: TSRadar at postal.trusecure.com
> Subject: [TSRadar] Blip: ICMP and Port TCP/135
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> _______________________________________________________________
> PROBLEM:     Apparent surge in ICMP probes, possibly in conjunction
> with port TCP/135 probes.
> PLATFORM:  Port TCP/135 traffic targeting Windows hosts w/DCOM
> DAMAGE:    Unknown
> SOLUTION:   Log and, if possible, alert on surges in either probes.
> _______________________________________________________________
> VULNERABILITY  
> ASSESSMENT:   Undetermined for ICMP, Port TCP/135 is Red Hot due to
> W32/Lovesan _______________________________________________________________
> 
> TruSecure is monitoring from multiple sources, including customers, a surge
> in ICMP and TCP/135 traffic.  The "most benign" explanation is "destination
> unreachable" messages from host trying to DOS "windowsupdate.com" due to
> Lovesan infections, and Lovesan infected hosts scanning on TCP/135 as they
> are powered-up on Monday morning.  
> 
> The "most malignant" explanation is there is a new RPC/DCOM worm out there
> that scans with ICMP and attempts TCP/135 exploits after. 
> Continued in the "worst case scenario" is the addition of NT4 w/DCOM host to
> the infectable/infected population.
> 
> We do not have packet capture of either type of probe but if you see this
> traffic increasing and can capture packet, please send us some samples.  We
> do not know the TYPE/CODE combination(s) used for the ICMP traffic.  One
> open source indicates 218/8 may be the source of much of the early ICMP
> traffic.
> 
> One document available on the Internet explaining some of the good vs bad
> issues with ICMP is at: 
> http://www.cymru.com/Documents/icmp-messages.html
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.0
> Comment: Hacker=Cybercriminal The definition changed get over it.
> 
> iQCVAwUBP0DkePGfiIQsciJtAQHybQQA0KAANY1VARXtWUF44/XS5iE5zJ/R+/Tv
> 3++nO1xRAyLYpy2bsSdnvoljkgTwgSLXjQQa3LogNMG+k7cmmV5dC81au8xOeppf
> 7kua0BdMMsZQqsWW8p8j4AUrLQJFRqMcrUc31NIXO09Q+Ukn2F0TGxdnteJpV9lU
> p4weU+SXdmQ=
> =hARr
> -----END PGP SIGNATURE-----
-- 
Jose Vicente Nunez Zuleta (josevnz at newbreak dot com)
Newbreak LLC System Administrator
http://www.newbreak.com
RHCE, SCJD, SCJP




More information about the list mailing list