[Dshield] icmp w/payload EEEEEEE

tim0707@comcast.net tim0707 at comcast.net
Thu Jan 15 14:00:41 GMT 2004


> I also see that this pattern is associated with "Grim's Ping".

I checked out Grim's Ping and I'm not so sure that this is Grim's Ping. I didn't see the same icmp payload when I ran the tool in our lab. 

We are running anonymous FTP server's and when the scanning get's to our FTP server's, I don't see any attempts to connect to those servers from the scanning IP, like Grim's Ping is set up to do. 

Tim
> On Wed, 2004-01-14 at 09:43, tim0707 at comcast.net wrote:
> > Here are some packets.  At first this looked very similar to Nachi, but after 
> looking at it for awhile.  I noticed that when we see Nachi here, we only see a 
> few packets from the same ip address.  Not the complete scan.,unless it's 
> internal. : )  
> > 
> > With this icmp traffic, we're seeing the complete scan from the same ip 
> address.  
> > 
> > Since the 3rd, we've had 12 different IP's hit us.  I don't know what to make 
> of it.  We block icmp, so that's not a concern.  It's just driving me crazy 
> trying to figure out what it is.
> > 
> > 09:23:12.318467 207.218.183.144 > 123.456.251.57: icmp: echo request
> > 0x0000   4500 003c fcff 0000 3501 6146 cfda b790        E..<....5.aF....
> > 0x0010   7bff fb39 0800 dff4 0200 c1b6 4545 4545        ...9........EEEE
> > 0x0020   4545 4545 4545 4545 4545 4545 4545 4545        EEEEEEEEEEEEEEEE
> > 0x0030   4545 4545 4545 4545 4545 4545                  EEEEEEEEEEEE
> 
> 207.218.183.144 is a windows machine.
> 
> the 'EE' pattern has been seen before. For example:
> 
> http://cert.uni-stuttgart.de/archive/intrusions/2003/01/msg00342.html
> 
> I also see that this pattern is associated with "Grim's Ping".
> But I haven't tested it myself. "Grim's Ping" is a automated
> Windows port scanner.
> http://grimsping.cjb.net/
>  
> 
> 
> -- 
> CTO SANS Internet Storm Center               http://isc.sans.org
> phone: (617) 837 2807                          jullrich at sans.org 
> 
> contact details: http://johannes.homepc.org/contact.htm
> 




More information about the list mailing list