[Dshield] Cyberkit 2.2 pings.... anyone else getting them?

Johannes Ullrich jullrich at euclidian.com
Fri Oct 10 11:16:53 GMT 2003


Which rock have you been hiding under the last month ;-) ?
The 'Cyperkit' snort signature is triggered by the pings Nachia sents
out. The sequential subnet scanning is another characteristic of Nachia.

The signature:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING CyberKit
2.2 Windows";
content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:32;
reference:arachnids,154; sid:483;  classtype:misc-activity; rev:2;)


essentially a ping with all 'A' for payload. Thats just the kind of ping
Nachia sends out.



On Fri, 2003-10-10 at 00:48, John D. wrote:
> Hi,
> 
> I'm getting shitloads of Cyberkit 2.2 pings hitting our Crunchbox.  In some cases,  about 1 per minute,  and they are hitting every box on our subnet.
> 
> has anyone else been getting them,  and what is the significance of these probes.  is it some virus probing our network for vulns,  or is it something else.
> 
> John
> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
--------------------------------------------------------------
Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
--------------------------------------------------------------
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support at covad.net
--------------------------------------------------------------





More information about the list mailing list