[Dshield] Weird nachi-like traffic

Chris Brenton cbrenton at chrisbrenton.org
Tue Dec 23 16:01:31 GMT 2003


On Tue, 2003-12-23 at 09:07, tim0707 at comcast.net wrote:
> Ok, here is one for you...
> 
> We've been picking up this weird nachi like traffic lately. 

<snip>

> I called the site's network people and they can't find the machine with the IP address or the MAC. 

Its looks like its a Windows box (ohhhh, what a surprise!), so try:
nbtstat -A 164.214.216.53

If NetBIOS is open, that will give you the system name as well as the
name of the logged on user.

> 00:52:08.979401 0:0:a2:f8:5c:80 8:0:20:c7:2:b6 ip 106: x.x.216.53 > x.x.205.156: icmp: echo request (ttl 126, id 61165, len 92)
> 0x0000   4500 005c eeed 0000 7e01 5e31 a4d6 d835        E..\....~.^1...5
> 0x0010   a4d9 cd9c 0800 4a23 0200 5687 aaaa aaaa        ......J#..V.....
> 0x0020   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
> 0x0030   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
> 0x0040   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................
> 0x0050   aaaa aaaa aaaa aaaa aaaa aaaa                  ............

Hummm. 92 bytes of a 0xaaaa payload, this certainly looks like Nachi to
me. Looks like you have an infected system.

> 02:13:56.971232 0:0:a2:f8:5c:80 8:0:20:c8:3b:83 ip 106: x.x.216.53 > 211.98.139.115: icmp: echo request (ttl 126, id 18822, len 92)
> 02:19:57.170062 0:0:a2:f8:5c:80 8:0:20:c8:33:d2 ip 106: x.x.216.53 > 210.103.97.67: icmp: echo request (ttl 126, id 10049, len 92)
> 02:25:55.119213 0:0:a2:f8:5c:80 8:0:20:c8:33:d2 ip 106: x.x.216.53 > 63.151.64.123: icmp: echo request (ttl 126, id 9449, len 92)

Now this is kind of weird. Every Windows box I've seen uses predictable
IP IDs. They either increment by +1 or +256. This box actually looks
like its _decrementing_ the IP ID. I would love to know which OS this is
once you locate the box.

HTH,
C
 




More information about the list mailing list