[Dshield] ICMP increase

Bill McCarty bmccarty at pt-net.net
Tue Aug 19 16:19:54 GMT 2003


Hi all,

I'm seeing the ICMP and web server probes. I've seen more than 200 such 
probes in the last 9 hours. But, I don't see any associated attacks. So 
far, this looks to me like a distributed scanner, rather than an worm.

The web server probe follows:

> GET / HTTP/1.1
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
> Host: XXX.XXX.XXX.XXX
> Connection: Keep-Alive

Host IPs and source ports follow:

> 004.047.044.186.02291
> 012.006.145.017.41157
> 012.039.069.066.05592
> 012.064.180.096.02293
> 012.111.050.007.39689
> 012.159.194.073.04471
> 012.164.215.153.01399
> 012.165.137.003.63699
> 012.240.217.126.08584
> 015.252.000.075.04318
> 024.024.058.026.04167
> 024.050.151.038.02009
> 024.052.166.020.03232
> 024.138.026.199.02527
> 024.175.122.009.04229
> 024.194.007.194.04586
> 024.219.087.092.04008
> 024.247.094.140.62965
> 061.034.140.078.04600
> 061.051.208.041.03744
> 061.052.109.209.03596
> 061.053.148.213.03993
> 061.084.008.074.01894
> 061.116.175.148.04442
> 061.130.091.197.01391
> 061.144.187.061.01856
> 061.145.185.030.04949
> 061.151.232.016.02494
> 061.172.017.051.04472
> 061.172.050.034.65116
> 061.177.076.233.04369
> 061.179.013.253.03018
> 061.183.236.110.02681
> 061.186.252.079.61777
> 061.191.252.026.03427
> 061.191.255.151.04538
> 061.248.009.083.04816
> 062.003.039.176.02357
> 062.003.065.192.04382
> 062.053.062.162.41603
> 063.072.211.083.03516
> 063.117.208.211.01256
> 063.137.144.002.28093
> 063.142.112.102.04864
> 063.146.163.069.51878
> 063.227.011.247.03907
> 063.227.147.186.03576
> 063.228.085.117.01025
> 063.237.138.002.15715
> 063.237.138.002.56416
> 064.002.236.140.01090
> 064.021.233.218.37918
> 064.081.203.251.03417
> 064.102.254.033.11583
> 064.170.056.095.46734
> 064.175.106.142.04435
> 065.025.255.033.03261
> 065.083.192.124.04087
> 065.101.212.162.04788
> 065.195.083.005.13011
> 065.196.044.242.01810
> 065.198.157.053.40860
> 065.199.054.254.30939
> 065.205.154.133.48837
> 066.009.152.045.04077
> 066.112.047.124.04164
> 066.146.064.147.01357
> 066.161.236.254.61405
> 066.167.051.065.01343
> 066.167.207.096.04166
> 066.169.206.061.04283
> 066.236.151.083.57073
> 067.034.216.101.04485
> 067.096.150.010.45951
> 067.098.181.098.59182
> 067.114.253.026.04442
> 068.062.075.084.29572
> 068.064.031.236.01208
> 068.098.032.155.04399
> 068.154.013.124.04303
> 068.161.085.096.04715
> 068.161.116.139.04902
> 068.164.106.067.04527
> 068.170.131.127.01635
> 068.171.167.016.03567
> 080.004.075.162.03996
> 080.186.093.247.01178
> 081.152.118.148.02243
> 128.107.141.203.04341
> 129.059.111.040.01512
> 130.212.019.119.03121
> 134.114.007.121.03175
> 141.157.066.075.02678
> 141.158.032.239.01647
> 143.127.131.004.16186
> 144.228.193.162.19098
> 147.175.065.180.02841
> 151.196.047.065.01816
> 157.157.208.237.01659
> 159.226.061.243.01025
> 161.142.100.081.51706
> 162.083.173.143.04489
> 164.106.202.114.03806
> 165.021.154.017.57588
> 165.024.132.118.04501
> 195.155.250.202.02427
> 196.030.110.104.03675
> 198.188.096.002.13521
> 202.075.164.114.01545
> 202.108.168.210.45137
> 202.158.100.022.03036
> 202.224.076.165.62014
> 203.115.013.123.04580
> 203.162.102.169.03483
> 204.032.218.250.53952
> 204.085.194.115.03080
> 204.210.063.005.59815
> 207.065.081.002.63001
> 208.007.171.199.01175
> 208.038.096.131.01984
> 209.036.247.003.60881
> 209.121.019.016.01229
> 209.144.006.055.01258
> 209.150.052.030.02856
> 210.006.183.152.02338
> 210.073.076.221.53452
> 210.110.064.182.01137
> 210.115.121.148.02963
> 210.180.096.012.09388
> 210.182.007.100.02017
> 211.009.044.172.26332
> 211.098.131.144.32964
> 211.110.038.032.03049
> 211.139.095.118.02347
> 211.149.166.071.01765
> 211.161.051.016.02655
> 211.243.075.006.04929
> 213.062.115.003.04191
> 216.124.245.037.03115
> 216.189.136.087.04119
> 216.221.109.190.02377
> 216.250.075.075.03275
> 217.042.054.131.04167
> 217.132.071.061.06582
> 217.132.121.244.03821
> 218.000.027.236.02789
> 218.000.059.164.04603
> 218.000.226.092.04785
> 218.001.071.120.14382
> 218.001.183.006.02622
> 218.008.003.143.03013
> 218.014.030.092.03700
> 218.014.130.230.04423
> 218.015.100.054.04638
> 218.017.172.101.02583
> 218.018.043.216.04967
> 218.018.196.186.01383
> 218.024.028.119.03590
> 218.024.178.248.02864
> 218.026.229.042.46679
> 218.059.024.012.38371
> 218.060.134.162.02685
> 218.066.196.239.01603
> 218.072.026.164.01025
> 218.072.119.065.02960
> 218.074.028.061.01408
> 218.074.043.232.01699
> 218.075.226.096.03147
> 218.079.244.093.03274
> 218.079.247.017.03401
> 218.091.242.190.02872
> 218.093.048.020.03697
> 218.109.041.189.03454
> 218.109.064.138.01981
> 218.109.064.240.03512
> 218.109.112.136.04064
> 218.144.230.037.04651
> 218.145.025.014.19944
> 218.145.025.016.32783
> 218.145.025.046.28228
> 218.145.025.080.64611
> 218.146.207.022.04536
> 218.147.116.241.01175
> 218.150.211.254.03320
> 218.224.133.076.02894
> 218.241.088.027.04203
> 219.062.068.088.01934
> 219.095.163.131.51013
> 219.130.131.130.03443
> 219.159.028.112.04239
> 219.159.039.043.04267
> 219.166.060.104.01630
> 220.073.165.218.27812
> 220.105.249.125.02510
> 220.109.031.223.04520
> 220.114.069.095.03729
> 220.145.086.236.04045
> 220.184.070.045.01616
> 220.188.020.064.02650
> 221.113.199.088.04893

Cheers,

--On Monday, August 18, 2003 10:05 AM -0400 George Theall 
<theall at tifaware.com> wrote:

> On Mon, Aug 18, 2003 at 10:47:04PM +1000, Luke Matchett wrote:
>
>> About 24 hours ago my snort logs began recording the following message
>> "ICMP PING CyberKit 2.2 Windows" .

> Following these, I am seeing connections to web servers with requests for
> the default homepages.  Eg,

> I wonder if there's a new worm targetting web servers.

---------------------------------------------------
Bill McCarty




More information about the list mailing list