[Dshield] Is this SoBig.F fallout?

Doug White doug at clickdoug.com
Sun Aug 24 13:21:56 GMT 2003


Same here - interestingly, most of the other scans have stopped almost dead,
except for the port 135 and the tremendous number of pings.

======================================
Stop spam on your domain, use our gateway!
For hosting solutions http://www.clickdoug.com
ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
Suggested corporate Anti-virus policy: http://www.dshield.org/antivirus.pdf
======================================
If you are not satisfied with my service, my job isn't done!

----- Original Message ----- 
From: "Ronnie & Stacy Clark" <rsclark at kingwoodcable.net>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Sunday, August 24, 2003 12:16 AM
Subject: [Dshield] Is this SoBig.F fallout?


| Hello all,
|
| I am seeing a TON of these types of packets hitting my home network.
| Snort calls them "ICMP PING Cyberkit 2.2 Windows". Is this fallout from
| SoBig.F? MS Blaster?
|
| Thanks,
| Ron Clark
|
| 00:06:06.974552 24.209.25.214 > aaa.bbb.ccc.xxx: icmp: echo request
| 0x0000   4500 005c 719e 0000 6e01 0699 18d1 19d6        E..\q...n.......
| 0x0010   aabb ccxx 0800 3524 0200 6b86 aaaa aaaa        ......5$..k.....
| 0x0020   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
| 0x0030   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
| 0x0040   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
| 0x0050   aaaa aaaa aaaa aaaa aaaa aaaa                  ............
| 00:06:14.215425 24.206.136.95 > aaa.bbb.ccc.xxx: icmp: echo request
| 0x0000   4500 005c d0eb 0000 7f01 27c5 18ce 885f        E..\......'...._
| 0x0010   aabb ccxx 0800 6014 0200 4096 aaaa aaaa        ......`... at .....
| 0x0020   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
| 0x0030   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
| 0x0040   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
| 0x0050   aaaa aaaa aaaa aaaa aaaa aaaa                  ............
| 00:06:27.463144 24.205.143.188 > aaa.bbb.ccc.xxx: icmp: echo request
| 0x0000   4500 005c 862b 0000 7001 7a29 18cd 8fbc        E..\.+..p.z)....
| 0x0010   aabb ccxx 0800 c441 0200 dc68 aaaa aaaa        .......A...h....
| 0x0020   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
| 0x0030   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
| 0x0040   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
| 0x0050   aaaa aaaa aaaa aaaa aaaa aaaa                  ............
| 00:06:35.421941 24.203.77.45 > aaa.bbb.ccc.xxx: icmp: echo request
| 0x0000   4500 005c 8db7 0000 6e01 b72e 18cb 4d2d        E..\....n.....M-
| 0x0010   aabb ccxx 0800 3162 0300 6e48 aaaa aaaa        ......1b..nH....
| 0x0020   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
| 0x0030   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
| 0x0040   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
| 0x0050   aaaa aaaa aaaa aaaa aaaa aaaa                  ............
| 00:06:41.573507 24.209.37.17 > aaa.bbb.ccc.xxx: icmp: echo request
| 0x0000   4500 005c 5a5c 0000 6e01 12a0 18d1 2511        E..\Z\..n.....%.
| 0x0010   aabb ccxx 0800 c1d9 0200 ded0 aaaa aaaa        ................
| 0x0020   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
| 0x0030   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
| 0x0040   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
| 0x0050   aaaa aaaa aaaa aaaa aaaa aaaa                  ............
|
| _______________________________________________
| list mailing list
| list at dshield.org
| To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
|
|




More information about the list mailing list