[Dshield] Cyberkit 2.2 pings.... anyone else getting them?

Johannes Ullrich jullrich at euclidian.com
Fri Oct 10 11:16:53 GMT 2003

Which rock have you been hiding under the last month ;-) ?
The 'Cyperkit' snort signature is triggered by the pings Nachia sents
out. The sequential subnet scanning is another characteristic of Nachia.

The signature:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING CyberKit
2.2 Windows";
reference:arachnids,154; sid:483;  classtype:misc-activity; rev:2;)

essentially a ping with all 'A' for payload. Thats just the kind of ping
Nachia sends out.

On Fri, 2003-10-10 at 00:48, John D. wrote:
> Hi,
> I'm getting shitloads of Cyberkit 2.2 pings hitting our Crunchbox.  In some cases,  about 1 per minute,  and they are hitting every box on our subnet.
> has anyone else been getting them,  and what is the significance of these probes.  is it some virus probing our network for vulns,  or is it something else.
> John
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support at covad.net

More information about the list mailing list