[Dshield] ICMP Time-To-Live Exceeded in Transit

Bruyere, Michel mbruyere at ezemcanada.com
Tue Dec 23 19:56:09 GMT 2003

You could check what's loading up in the run key from the registry (search
for a key called runonce), when found just click the run key above to see
what's in there (use F3 key to find all instances). After that you may want
to export the key to a backup.reg file (easiest way to get everything beck
there in case of problems) and finally delete unwanted program that start

Another thing you should do is scan your machine with Anti-trojan (try TDS-3
from diamondCS, it's a trial but works great) and spyware detectors (like
Spybot search and destroy AND adaware). I suggest you run both spybot and
adaware because one catches some the other don't and vice versa.

M. Bruyere

> -----Original Message-----
> From: Erwin Van de Velde [mailto:erwin.vandevelde at ua.ac.be]
> Sent: mardi 23 décembre 2003 09:53
> To: list at dshield.org
> Subject: [Dshield] ICMP Time-To-Live Exceeded in Transit
> Hi,
> I'm using snort 2.1.0 on a Mandrake 9.2 box. I have to network interfaces:
> one
> to cable modem (DHCP configured), and one ethernet interface (IP
> Both interfaces are watched by snort. I have one other
> computer
> on the local network ( running Win98 SE, and the first
> uses NAT (configured with shorewall(iptables)) to get the second online.
> Recently I'm seeing some weird traffic that is detected by snort (sensor
> eth1: interface): I get inbound ICMP packets, telling me that
> the
> TTL has been exceeded.
> The original source would be, with source port 2048. There are
> different destinations, and the destination port is >40000 as far as I can
> see.
> Other weird things: these alerts come in groups, allways when booting the
> second computer and every two hours after boot. The destination IPs
> as I said above, but are repeated. The number of alerts in one 'group'
> differs also, possibly depending on foreign network conditions (which
> computers are running etc.)
> These alerts take 42% of all my snort alerts. Second are the alerts caused
> by
> Welchia, Blaster... travelling by on the internet with 33%.
> Does anyone know what they are? Are they normal traffic caused by 'good'
> programs? There is no frequently repeated tracerouted or something like
> that
> running there :-)
> I have running Norton AV on the second computer, and the virus scanner is
> up
> to date and allways running (full system scan detected nothing).
> thanks in advance,
> Erwin Van de Velde
> Student of Antwerp University
> Belgium
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list