[Dshield] Weird nachi-like traffic

tim0707@comcast.net tim0707 at comcast.net
Tue Dec 23 14:07:16 GMT 2003


Ok, here is one for you...

We've been picking up this weird nachi like traffic lately.  We were infected and still see some legitimate nachi traffic, but this is weird.  The only traffic I am seeing from this host is a couple of ICMP echo requests every few hours with the aa aa aa aa in the payload.  Check out the logs.  What do you think it is?  Our network is large and spread out, so I can't physically get to the machine.  I called the site's network people and they can't find the machine with the IP address or the MAC.  I can't ping it or anything like that.  So, all I have are these logs... 

Thanks in advance,

Tim Kroeger

-----------------------

00:52:08.979401 0:0:a2:f8:5c:80 8:0:20:c7:2:b6 ip 106: x.x.216.53 > x.x.205.156: icmp: echo request (ttl 126, id 61165, len 92)
0x0000   4500 005c eeed 0000 7e01 5e31 a4d6 d835        E..\....~.^1...5
0x0010   a4d9 cd9c 0800 4a23 0200 5687 aaaa aaaa        ......J#..V.....
0x0020   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
0x0030   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
0x0040   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
0x0050   aaaa aaaa aaaa aaaa aaaa aaaa                  ............
02:13:56.971232 0:0:a2:f8:5c:80 8:0:20:c8:3b:83 ip 106: x.x.216.53 > 211.98.139.115: icmp: echo request (ttl 126, id 18822, len 92)
0x0000   4500 005c 4986 0000 7e01 1739 a4d6 d835        E..\I...~..9...5
0x0010   d362 8b73 0800 3166 0200 6f44 aaaa aaaa        .b.s..1f..oD....
0x0020   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
0x0030   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
0x0040   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
0x0050   aaaa aaaa aaaa aaaa aaaa aaaa                  ............
02:19:57.170062 0:0:a2:f8:5c:80 8:0:20:c8:33:d2 ip 106: x.x.216.53 > 210.103.97.67: icmp: echo request (ttl 126, id 10049, len 92)
0x0000   4500 005c 2741 0000 7e01 64a9 a4d6 d835        E..\'A..~.d....5
0x0010   d267 6143 0800 f0f1 0200 afb8 aaaa aaaa        .gaC............
0x0020   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
0x0030   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
0x0040   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
0x0050   aaaa aaaa aaaa aaaa aaaa aaaa                  ............
02:25:55.119213 0:0:a2:f8:5c:80 8:0:20:c8:33:d2 ip 106: x.x.216.53 > 63.151.64.123: icmp: echo request (ttl 126, id 9449, len 92)
0x0000   4500 005c 24e9 0000 7e01 1a9a a4d6 d835        E..\$...~......5
0x0010   3f97 407b 0800 4f66 0200 5144 aaaa aaaa        ?.@{..Of..QD....
0x0020   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
0x0030   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
0x0040   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
0x0050   aaaa aaaa aaaa aaaa aaaa aaaa                  ............




More information about the list mailing list