[Dshield] icmp w/payload EEEEEEE

Blake McNeill mcneillb at linklogger.com
Thu Jan 15 09:12:55 GMT 2004


I caught one of these tonight but the TTL wasn't that low (TTL = E7 = 231,
Nachi pings for example were 124)

45 00 00 3C 7B 94 00 00 31 01 6D 9E 51 D9 8C EB
C0 A8 01 22 08 00 E7 65 02 00 BA 45 45 45 45 45
45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45
45 45 45 45 45 45 45 45 45 45 45 45

Jan 15, 2004 07:20:52.031 UTC  -  (ICMP) <8:0> 81.217.140.235  >>>
192.168.1.34

81.217.140.235 has a hostname of h081217140235.dyn.cm.kabsi.at

I did catch this IP scanning on a second IP Address so I suspect it was
sweeping the netblock.  One thing that might be interesting (or could be my
mind on glue) is the selection of packet contents is the same number of 'e's
as when a Cisco is erasing a device (why else use 32 E's?).

I have the sniffer up and running so hopefully I can catch a couple more.

Blake




More information about the list mailing list