[Dshield] icmp w/payload EEEEEEE

Blake McNeill mcneillb at linklogger.com
Thu Jan 15 12:49:49 GMT 2004


Captured another scan.

Jan 15, 2004 12:09:01.062 UTC  -  (ICMP) <8:0> 207.6.10.162  >>>
192.168.1.34

207.6.10.162 is d207-6-10-162.bchsia.telus.net which is rather interesting
given scans are being seen from all over the place.  What is really
interesting is Link Logger recorded an earlier ICMP Ping from this IP
Address on January 3rd (but I didn't have the sniffer on so I can't confirm
the packet contents), which tends to make me think that the source isn't
spoofed (I was also able to ping and get a reply from this IP tonight).

Packet Capture:

0000:  00 04 5A 62 CB 89 00 A0 C5 2F AC 2A 08 00 45 00  ..Zb...../.*..E.
0010:  00 3C 47 C7 00 00 37 01 A0 87 CF 06 0A A2 C0 A8  .<G...7.........
0020:  01 22 08 00 6F 5E 02 00 32 4D 45 45 45 45 45 45  ."..o^..2MEEEEEE
0030:  45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
0040:  45 45 45 45 45 45 45 45 45 45                    EEEEEEEEEE

The TTL = 55 which is rather short and is consistent with what I saw in the
earlier capture (I made an 'up all night mistake' on this in my previous
posting).

Blake
http://www.SonicLogger.com - Logging Software for SonicWall
http://www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel




More information about the list mailing list