[Dshield] icmp w/payload EEEEEEE

Mrcorp mrcorp at yahoo.com
Wed Jan 14 19:31:25 GMT 2004


Sorry if this has been commeted on, but I noticed the MAC addresses are the same for both groups,
yet there are different IP addresses.  So obviously some spoofing, which would mean that the
response is not required from these pings???

Also a low TTL.

mrcorp

--- lew001 at globetrotter.net wrote:
> Johannes writes:
> 
> > Nothing here. Can you post some complete packets?
> > (e.g. using tcpdump -s 1500 -Xa icmp)
> 
> At first, I had thought that the EEEEEEs were hex. But maybe not. Here's what
> I found in this morning's traces (EEEEEE is ASCII). I don't have previous
> days to check unfortunately.
> 
> Three packets from each of two sources.
> 
>    02:11:43.5242 eth2 rcv:
>    ETH 000500E61FA8->00C0A8D00B73 typ=IP
>    IP  len=3C id=8D87 ttl=29 prot=ICMP ckSum=B67 200.55.67.196->66.130.170.85
>    ICMP typ=echoRq code=0 ckSum=B37
>    id=400 seq=9474
>    45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE
>    45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE
> 
>    02:11:44.8931 eth2 rcv:
>    ETH 000500E61FA8->00C0A8D00B73 typ=IP
>    IP  len=3C id=8D91 ttl=29 prot=ICMP ckSum=B5D 200.55.67.196->66.130.170.85
>    ICMP typ=echoRq code=0 ckSum=737
>    id=400 seq=9874
>    45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE
>    45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE
> 
>    02:11:47.4361 eth2 rcv:
>    ETH 000500E61FA8->00C0A8D00B73 typ=IP
>    IP  len=3C id=8DB2 ttl=29 prot=ICMP ckSum=B3C 200.55.67.196->66.130.170.85
>    ICMP typ=echoRq code=0 ckSum=F936
>    id=400 seq=A674
>    45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE
>    45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE
> 
>    05:27:10.6468 eth2 rcv:
>    ETH 000500E61FA8->00C0A8D00B73 typ=IP
>    IP  len=3C id=E927 ttl=2D prot=ICMP ckSum=B00B 194.19.69.163->66.130.170.85
>    ICMP typ=echoRq code=0 ckSum=27A5
>    id=200 seq=7A06
>    45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE
>    45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE
> 
>    05:27:11.9993 eth2 rcv:
>    ETH 000500E61FA8->00C0A8D00B73 typ=IP
>    IP  len=3C id=E938 ttl=2D prot=ICMP ckSum=AFFA 194.19.69.163->66.130.170.85
>    ICMP typ=echoRq code=0 ckSum=1EA5
>    id=200 seq=8306
>    45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE
>    45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE
> 
>    05:27:14.0062 eth2 rcv:
>    ETH 000500E61FA8->00C0A8D00B73 typ=IP
>    IP  len=3C id=E958 ttl=2D prot=ICMP ckSum=AFDA 194.19.69.163->66.130.170.85
>    ICMP typ=echoRq code=0 ckSum=12A5
>    id=200 seq=8F06
>    45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE
>    45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE
> 
> I don't really remember seeing this kind of stuff before, but maybe
> some OSs do use this pattern? Anyway, I'm not seeing many so far.
> 
> For comparison, a Nachi/Welchia/whatever packet (quite a few more, still).
> 
>       05:42:16.7732 eth2 rcv:
>    ETH 000500E61FA8->00C0A8D00B73 typ=IP
>    IP  len=5C id=C18A ttl=6E prot=ICMP ckSum=6146 66.133.250.115->66.130.170.85
>    ICMP typ=echoRq code=0 ckSum=F9B1
>    id=200 seq=A6F8
>    AA AA AA AA AA AA AA AA  AA AA AA AA AA AA AA AA   ................
>    AA AA AA AA AA AA AA AA  AA AA AA AA AA AA AA AA   ................
>    AA AA AA AA AA AA AA AA  AA AA AA AA AA AA AA AA   ................
>    AA AA AA AA AA AA AA AA  AA AA AA AA AA AA AA AA   ................
> 
> No clue (of course) what these EEEEEE pings mean.
> 
> On a different topic, does anyone understand these RST+ACK packets we have
> been receiving for some time? I see two variations. Either the packet appears
> to originate from 127.0.0.1 or it appears to originate from 67.61.16.236.
> >From port 80. To random ports on my firewall.
> 
>    2003-12-10 04:09:08 | 67.61.16.236 | 80 | 66.131.183.166 | 1804 | prot=TCP  | code=RST+ACK
>    2003-12-15 05:32:58 | 127.0.0.1    | 80 | 66.131.183.166 | 1128 | prot=TCP  | code=RST+ACK
> 
> They have been mentioned here a couple of times, but I haven't
> seen any explanation yet. I still see these regularly.
> 
> A+,
> Pierre
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus




More information about the list mailing list