[Dshield] Cyberkit 2.2 pings.... anyone else getting them?

John Sage jsage at finchhaven.com
Fri Oct 10 11:34:03 GMT 2003


Very Old News...

On Thu, Oct 09, 2003 at 09:48:34PM -0700, John D. wrote:
> Hi,
> 
> I'm getting shitloads of Cyberkit 2.2 pings hitting our Crunchbox.
> In some cases, about 1 per minute, and they are hitting every box on
> our subnet.
> 
> has anyone else been getting them, and what is the significance of
> these probes. is it some virus probing our network for vulns,  or is
> it something else. 

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP CyberKit 2.2
 ping"; itype: 8; content:"|aa aa aa aa aa aa aa aa|";)

is equivalent to:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Nachia
 ping"; itype: 8; content:"|aa aa aa aa aa aa aa aa|";)


Current count (< 24 hours):

Date: Fri, 10 Oct 2003 04:15:13 -0700
To: root at greatwall.finchhaven.net
Subject: Nachia ping report
Cc: jsage at sparky.finchhaven.net

2757


One early reference:

http://www.dshield.org/pipermail/list/2003-August/010722.php




- John
-- 
"You are in a twisty maze of weblogs, all alike."
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.




More information about the list mailing list