[Dshield] ICMP Time-To-Live Exceeded in Transit

Chris Brenton cbrenton at chrisbrenton.org
Tue Dec 23 16:28:33 GMT 2003


On Tue, 2003-12-23 at 09:53, Erwin Van de Velde wrote:
> Recently I'm seeing some weird traffic that is detected by snort (sensor on 
> eth1: interface): I get inbound ICMP packets, telling me that the 
> TTL has been exceeded.
> The original source would be, with source port 2048. There are 
> different destinations, and the destination port is >40000 as far as I can 
> see.

You obviously have some form of call home software on the box. A couple
of things you can try:

On the Mandrake box run:
tcpdump -nn -X -s 1500 -w call-home.cap host &

and then boot the Win98 system. Let it run without using it for a while,
and then kill the above process. You can then read the cap file by doing

tcpdump -X -s 1500 -vvv -r call-home.cap | more

See if you can pull any clues out of the traces to let you know what's
going on.

Other option is to do what MS support told me to do to locate a renegade
service. Basically, keep killing things till the problem goes away and
what ever you shut off last must be the problem. ;-)

Grab yourself a copy of msconfig (its including with MS Office) and run
it on the Win98 system. The last tab to the right will show you
everything that gets loaded at boot time. You can try "unchecking"
services and rebooting till the problem goes away. If you disable
something you did not mean to, reboot in safe mode, rerun msconfig, and
"recheck" the items you want to start. You may want to Google anything
you find before shutting it down.

> I have running Norton AV on the second computer, and the virus scanner is up 
> to date and allways running (full system scan detected nothing).

AV _does not_ catch everything. Looks like you need to do some digging.

Pleasant journey,

More information about the list mailing list