[Dshield] Cyberkit 2.2 pings.... anyone else getting them?

Porter, Richard USA rwporter at nps.navy.mil
Fri Oct 10 14:40:14 GMT 2003

I saw a significant amount of Cyberping hits when we had a couple of welcheia machines on our Public Wireless.  You might want to look for an infected welcheia box. Etherpeak picks up welcheia at 110 bytes in length. If you increase the snap length on TCPDump you should see your Cyberping hits at 110 bytes, then you know you have a welchiea box out there somewhere. Hope that helps.


-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf Of John Sage
Sent: Friday, October 10, 2003 4:34 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Cyberkit 2.2 pings.... anyone else getting them?

Very Old News...

On Thu, Oct 09, 2003 at 09:48:34PM -0700, John D. wrote:
> Hi,
> I'm getting shitloads of Cyberkit 2.2 pings hitting our Crunchbox. In 
> some cases, about 1 per minute, and they are hitting every box on our 
> subnet.
> has anyone else been getting them, and what is the significance of 
> these probes. is it some virus probing our network for vulns,  or is 
> it something else.

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP CyberKit 2.2  ping"; itype: 8; content:"|aa aa aa aa aa aa aa aa|";)

is equivalent to:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Nachia  ping"; itype: 8; content:"|aa aa aa aa aa aa aa aa|";)

Current count (< 24 hours):

Date: Fri, 10 Oct 2003 04:15:13 -0700
To: root at greatwall.finchhaven.net
Subject: Nachia ping report
Cc: jsage at sparky.finchhaven.net


One early reference:


- John
"You are in a twisty maze of weblogs, all alike."
John Sage: InfoSec Groupie
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
ATTENTION: this entire message is privileged communication, intended for the sole use of its recipients only. If you read it even though you know you aren't supposed to, you're a poopy-head.

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list