[Dshield] Re: Abnormal ICMP Traffic -- Please advise

Eric Hines eric.hines at appliedwatch.com
Mon Mar 1 20:39:24 GMT 2004


Look at the second fragment in the first fragment train. The fragment offset is 
0x00B9, which is dec: 185. This is an overlapping fragment with the first 
fragment! Does anyone know if this payload is generated by Teardrop?

Re: Eric Hines, GCIA


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/01-13:26:12.066134 0:30:F2:E9:5F:FC -> 0:9:6B:61:70:5D type:0x800 len:0x5EA
10.40.24.220 -> 10.46.137.230 ICMP TTL:125 TOS:0x0 ID:38970 IpLen:20 
DgmLen:1500 MF
Frag Offset: 0x0000   Frag Size: 0x05C8
0x0000: 00 09 6B 61 70 5D 00 30 F2 E9 5F FC 08 00 45 00  ..kap].0.._...E.
0x0010: 05 DC 98 3A 20 00 7D 01 C8 CE 0A 28 18 DC 0A 2E  ...: .}....(....
0x0020: 89 E6 00 00 EB D0 03 00 D5 04 FF D8 FF FE 00 08  ................
0x0030: 57 41 4E 47 32 02 FF E0 00 10 4A 46 49 46 00 01  WANG2.....JFIF..
0x0040: 01 01 00 60 00 60 00 00 FF DB 00 43 00 10 0B 0C  ...`.`.....C....
0x0050: 0E 0C 0A 10 0E 0D 0E 12 11 10 13 18 28 1A 18 16  ............(...
0x0060: 16 18 31 23 25 1D 28 3A 33 3D 3C 39 33 38 37 40  ..1#%.(:3=<9387@
0x0070: 48 5C 4E 40 44 57 45 37 38 50 6D 51 57 5F 62 67  H\N at DWE78PmQW_bg
0x0080: 68 67 3E 4D 71 79 70 64 78 5C 65 67 63 FF DB 00  hg>Mqypdx\egc...
0x0090: 43 01 11 12 12 18 15 18 2F 1A 1A 2F 63 42 38 42  C......./../cB8B
0x00A0: 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63  cccccccccccccccc
0x00B0: 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63  cccccccccccccccc
0x00C0: 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63  cccccccccccccccc
0x00D0: 63 63 FF C0 00 11 08 00 26 00 9E 03 01 21 00 02  cc......&....!..
0x00E0: 11 01 03 11 01 FF C4 00 1F 00 00 01 05 01 01 01  ................
0x00F0: 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05  ................
0x0100: 06 07 08 09 0A 0B FF C4 00 B5 10 00 02 01 03 03  ................
0x0110: 02 04 03 05 05 04 04 00 00 01 7D 01 02 03 00 04  ..........}.....
0x0120: 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81  ...!1A..Qa."q.2.
0x0130: 91 A1 08 23 42 B1 C1 15 52 D1 F0 24 33 62 72 82  ...#B...R..$3br.
0x0140: 09 0A 16 17 18 19 1A 25 26 27 28 29 2A 34 35 36  .......%&'()*456
0x0150: 37 38 39 3A 43 44 45 46 47 48 49 4A 53 54 55 56  789:CDEFGHIJSTUV
0x0160: 57 58 59 5A 63 64 65 66 67 68 69 6A 73 74 75 76  WXYZcdefghijstuv
0x0170: 77 78 79 7A 83 84 85 86 87 88 89 8A 92 93 94 95  wxyz............
0x0180: 96 97 98 99 9A A2 A3 A4 A5 A6 A7 A8 A9 AA B2 B3  ................
0x0190: B4 B5 B6 B7 B8 B9 BA C2 C3 C4 C5 C6 C7 C8 C9 CA  ................
0x01A0: D2 D3 D4 D5 D6 D7 D8 D9 DA E1 E2 E3 E4 E5 E6 E7  ................
0x01B0: E8 E9 EA F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FF C4 00  ................
0x01C0: 1F 01 00 03 01 01 01 01 01 01 01 01 01 00 00 00  ................
0x01D0: 00 00 00 01 02 03 04 05 06 07 08 09 0A 0B FF C4  ................
0x01E0: 00 B5 11 00 02 01 02 04 04 03 04 07 05 04 04 00  ................
0x01F0: 01 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51  ..w.......!1..AQ
0x0200: 07 61 71 13 22 32 81 08 14 42 91 A1 B1 C1 09 23  .aq."2...B.....#
0x0210: 33 52 F0 15 62 72 D1 0A 16 24 34 E1 25 F1 17 18  3R..br...$4.%...
0x0220: 19 1A 26 27 28 29 2A 35 36 37 38 39 3A 43 44 45  ..&'()*56789:CDE
0x0230: 46 47 48 49 4A 53 54 55 56 57 58 59 5A 63 64 65  FGHIJSTUVWXYZcde
0x0240: 66 67 68 69 6A 73 74 75 76 77 78 79 7A 82 83 84  fghijstuvwxyz...
0x0250: 85 86 87 88 89 8A 92 93 94 95 96 97 98 99 9A A2  ................
0x0260: A3 A4 A5 A6 A7 A8 A9 AA B2 B3 B4 B5 B6 B7 B8 B9  ................
0x0270: BA C2 C3 C4 C5 C6 C7 C8 C9 CA D2 D3 D4 D5 D6 D7  ................
0x0280: D8 D9 DA E2 E3 E4 E5 E6 E7 E8 E9 EA F2 F3 F4 F5  ................
0x0290: F6 F7 F8 F9 FA FF DA 00 0C 03 01 00 02 11 03 11  ................
0x02A0: 00 3F 00 ED 35 6D 4A 1D 23 4D 96 FA E1 64 68 A2  .?..5mJ.#M...dh.
0x02B0: C6 E1 18 05 B9 20 71 92 3D 6A AE 81 E2 2B 2F 10  ..... q.=j...+/.
0x02C0: 47 33 59 89 50 C2 40 74 95 40 23 3D 0F 04 8E C7  G3Y.P. at t.@#=....
0x02D0: BF 6A 00 D6 AE 75 FC 67 A6 2E B6 34 A5 8E E5 E6  .j...u.g...4....
0x02E0: F3 C4 1B D5 06 CD E4 E3 B9 CF 07 8E 9D BB D0 06  ................
0x02F0: 86 A7 AD DB 69 77 B6 16 B3 A4 AC F7 D2 79 71 94  ....iw.......yq.
0x0300: 00 80 72 A3 9C 91 FD E1 EB 5A 54 00 51 40 05 14  ..r......ZT.Q at ..
0x0310: 00 51 40 05 14 00 51 40 0D 92 44 8A 36 92 47 54  .Q at ...Q@..D.6.GT
0x0320: 44 05 99 98 E0 28 1D 49 35 CC DB F8 F3 49 B9 D4  D....(.I5....I..
0x0330: 62 B3 86 2B B6 69 65 11 24 9B 14 29 24 E0 1E 5B  b..+.ie.$..)$..[
0x0340: 38 FC 33 ED 40 1B D6 BA 8D A5 E5 D5 CD B5 B4 EB  8.3. at ...........
0x0350: 24 B6 A4 2C CA A0 FC 84 E7 8C F4 3D 0F 4E 98 AB  $..,.......=.N..
0x0360: 54 01 CF F8 EF FE 45 0B EF FB 67 FF 00 A3 16 B9  T.....E...g.....
0x0370: 9F 0C 11 A1 F8 A2 C6 1D CA 96 FA A5 84 4E 07 98  .............N..
0x0380: 40 0E 50 1C 90 7A 92 CA C0 0F F6 F8 F4 A0 0E F3  @.P..z..........
0x0390: 53 BD 4D 37 4D B9 BD 93 69 10 46 5F 6B 36 DD C4  S.M7M...i.F_k6..
0x03A0: 0E 17 3E E7 03 F1 AF 2D D3 AC DA 39 FC 3B A8 4C  ..>....-...9.;.L
0x03B0: DB E7 BE D4 19 DA 42 C4 B3 05 78 C7 39 EF BB 79  ......B...x.9..y
0x03C0: FC 68 03 D1 35 AD 77 FB 27 51 D2 ED 3E CD E6 FD  .h..5.w.'Q..>...
0x03D0: BE 5F 2F 76 FD BB 39 51 9C 60 E7 EF 7B 74 AB 5A  ._/v..9Q.`..{t.Z
0x03E0: BE AF 69 A2 D9 7D AA F5 D9 50 9D AA 15 49 2C D8  ..i..}...P...I,.
0x03F0: 24 01 F5 C1 EB 81 40 1C EF FC 27 13 47 FE 91 71  $..... at ...'.G..q
0x0400: A0 5F 47 A7 9E 45 CE 0F 2A 7E E9 C1 00 73 91 FC  ._G..E..*~...s..
0x0410: 5D FB D7 45 2E A9 07 F6 24 BA A5 AB 2D C4 29 03  ]..E....$...-.).
0x0420: 4C BB 4E 37 6D 04 E3 DB A6 3D A8 03 9D B6 F1 C4  L.N7m....=......
0x0430: D7 E9 00 D3 74 49 EE E7 6F F5 C8 8E 76 C2 4B 10  ....tI..o...v.K.
0x0440: A0 B6 DC 72 06 72 70 07 AF 5C 6D 78 83 C4 16 9A  ...r.rp..\mx....
0x0450: 05 A8 92 E7 73 CB 20 6F 26 25 07 F7 84 63 BF 41  ....s. o&%...c.A
0x0460: D4 75 FD 7A 50 06 2A F8 DE E2 DE 68 8E AB A0 DD  .u.zP.*....h....
0x0470: D8 5A BB EC 69 DF 71 0A 4F B1 51 9F E7 8C F5 AE  .Z..i.q.O.Q.....
0x0480: 99 F5 1B 48 F4 D1 A8 C9 3A A5 A1 8C 4B E6 30 23  ...H....:...K.0#
0x0490: E5 23 23 8E BC E4 71 D6 80 39 9F F8 4D 6F 2E 3F  .##...q..9..Mo.?
0x04A0: 7B A7 F8 6E FA E6 D5 BE E4 BC 8D DE BD 14 8E B9  {..n............
0x04B0: 1D 7B 56 C7 87 3C 45 6B E2 1B 79 1E DD 24 8A 58  .{V..<Ek..y..$.X
0x04C0: 76 89 63 71 F7 49 1D 8F 71 C1 F4 3C 74 14 01 1F  v.cq.I..q..<t...
0x04D0: 88 7C 4D 6F A2 32 5B AC 32 5D 5F 4B B7 CB B6 40  .|Mo.2[.2]_K...@
0x04E0: 41 60 49 19 CE 0F A1 18 19 39 C7 1D EB 36 0F 1C  A`I......9...6..
0x04F0: 18 6E 92 3D 6B 49 B9 D2 E2 90 1D B2 C8 19 B2 47  .n.=kI.........G
0x0500: B6 D0 7F 2C F5 1F 5A 00 B9 E3 4D 4A E6 CB 4A 92  ...,..Z...MJ..J.
0x0510: 08 34 E9 6E 92 E6 09 52 49 53 38 80 6D C6 E3 80  .4.n...RIS8.m...
0x0520: 7D 49 ED D2 B9 BF 0C 78 82 FF 00 4D D0 E1 B7 B4  }I.....x...M....
0x0530: F0 DD CD D2 65 98 DC 44 18 09 09 63 CF 08 73 8E  ....e..D...c..s.
0x0540: 07 5E D4 01 5F C3 FA F5 FD 96 AB AC 4F 06 87 73  .^.._.......O..s
0x0550: 74 F7 33 EF 92 24 DD 98 0E E7 3B 4E 14 FA 91 DB  t.3..$....;N....
0x0560: A5 7A 75 00 73 FE 3B FF 00 91 42 FB FE D9 FF 00  .zu.s.;...B.....
0x0570: E8 C5 AC 1F 11 DB 4A BE 0E D0 75 5B 62 C2 6B 08  ......J...u[b.k.
0x0580: E1 60 DC 61 41 55 E7 07 AF CC 13 F3 34 01 6B C6  .`.aAU......4.k.
0x0590: FA 93 5F 68 7A 65 A5 92 C9 BF 56 74 64 56 0A 32  .._hze....VtdV.2
0x05A0: BC 10 A4 93 C1 DC C9 F9 1E 7D 5B E2 8B 64 B3 D5  .........}[..d..
0x05B0: 7C 23 6B 19 62 90 4E 23 52 DD 48 0D 10 19 FC A8  |#k.b.N#R.H.....
0x05C0: 02 6F 1A 7F C8 C3 E1 8F FA FB FF 00 D9 E3 A8 FC  .o..............
0x05D0: 45 0A EA 3E 3F D1 B4 FB 93 BA D5 62 33 79 78 18  E..>?......b3yx.
0x05E0: 27 E6 27 39 1C 83 B1 41 1E 94                    '.'9...A..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/01-13:26:12.066570 0:30:F2:E9:5F:FC -> 0:9:6B:61:70:5D type:0x800 len:0x262
10.40.24.220 -> 10.46.137.230 ICMP TTL:125 TOS:0x0 ID:38970 IpLen:20 DgmLen:596
Frag Offset: 0x00B9   Frag Size: 0x0240
0x0000: 00 09 6B 61 70 5D 00 30 F2 E9 5F FC 08 00 45 00  ..kap].0.._...E.
0x0010: 02 54 98 3A 00 B9 7D 01 EB 9D 0A 28 18 DC 0A 2E  .T.:..}....(....
0x0020: 89 E6 01 D8 5C 41 1D CD BC B6 F3 2E E8 A5 42 8E  ....\A........B.
0x0030: B9 C6 41 18 23 8A C3 97 48 87 44 F0 7E A7 67 6F  ..A.#...H.D.~.go
0x0040: 34 F2 C5 F6 79 99 7C E6 0C 57 28 78 18 03 03 BF  4...y.|..W(x....
0x0050: D4 9A 00 6F 80 63 44 F0 95 9B 22 2A 97 32 33 10  ...o.cD..."*.23.
0x0060: 31 B8 EF 61 93 EB C0 03 F0 AC D4 85 75 1F 8A 17  1..a........u...
0x0070: 02 E8 EF 5B 1B 75 78 54 81 80 70 B8 CF 1C E0 BB  ...[.uxT..p.....
0x0080: 1F 5C E3 D2 80 3A CB FB 28 75 1B 19 EC EE 17 31  .\...:..(u.....1
0x0090: 4C 85 5B 81 91 EE 33 DC 75 1E E2 B8 9F 0C 59 CF  L.[...3.u.....Y.
0x00A0: AE FC 3E BC D3 44 CA 84 4E 52 22 CB C2 E0 AB E0  ..>..D..NR".....
0x00B0: E3 D4 93 CF 3D 7D B1 40 10 DB F8 9B 5F F0 CD BC  ....=}. at ...._...
0x00C0: 56 9A B6 93 BE DE 04 11 24 9C A6 4E 32 A3 78 CA  V.......$..N2.x.
0x00D0: 9C 0E 30 06 78 F6 35 B9 E1 AD 43 C3 DA A6 AF 73  ..0.x.5...C....s
0x00E0: 77 A6 DB C9 06 A1 22 13 28 75 20 B2 E5 72 D8 04  w.....".(u ..r..
0x00F0: AF 27 1E F9 CD 00 53 F0 BC 2B 7B E3 3D 7A FE E4  .'....S..+{.=z..
0x0100: EF 9E DA 5F 26 32 40 C2 8C B2 FA 75 0A 80 67 D0  ..._&2 at ....u..g.
0x0110: 9E B9 AD CF 16 D9 43 7B E1 AB E5 99 73 E5 44 D3  ......C{....s.D.
0x0120: 21 00 65 59 41 23 19 E9 D3 1F 42 68 03 2F 4B 9E  !.eYA#....Bh./K.
0x0130: 4B 8F 86 4E F2 B6 E6 16 53 A0 38 C7 0A 19 40 FC  K..N....S.8... at .
0x0140: 80 AB 9E 04 FF 00 91 42 C7 FE DA 7F E8 C6 A0 0C  .......B........
0x0150: FF 00 05 FF 00 C8 C3 E2 7F FA FB FF 00 D9 E4 AE  ................
0x0160: C2 80 39 FF 00 1D FF 00 C8 A1 7D FF 00 6C FF 00  ..9.......}..l..
0x0170: F4 62 D4 D6 56 49 A9 78 2E D6 CA 4D A0 4F 61 1A  .b..VI.x...M.Oa.
0x0180: 6E 65 DD B4 94 18 6C 7B 1C 1F C2 80 38 DF 05 C1  ne....l{....8...
0x0190: 36 A1 AD D9 43 71 14 89 16 8F 13 EE 49 14 95 F3  6...Cq......I...
0x01A0: 0B B1 E4 1F BA DF 37 D7 F7 7F 96 E7 8D 3F E4 61  ......7......?.a
0x01B0: F0 C7 FD 7D FF 00 EC F1 D0 01 E3 4F F9 18 7C 31  ...}.......O..|1
0x01C0: FF 00 5F 7F FB 3C 75 37 8C 2C 2F 62 BA B2 D7 74  .._..<u7.,/b...t
0x01D0: 88 5A 5B DB 43 B1 91 50 BE F4 39 ED 9E D9 23 81  .Z[.C..P..9...#.
0x01E0: 9F 9B 39 18 A0 0A BF F0 B0 61 BA B7 F2 B4 FD 36  ..9......a.....6
0x01F0: EE 5D 41 D3 E4 8B 68 65 DD 8E 7A 1C 90 39 3D 06  .]A...he..z..9=.
0x0200: 71 DB B5 E8 6C 6F 6C 3C 0B 7F 1E A5 71 2C F7 6F  q...lol<....q,.o
0x0210: 6D 33 C8 64 94 C9 B3 28 70 A0 FB 00 3D 79 CD 00  m3.d...(p...=y..
0x0220: 4D E0 4F F9 14 2C 7F ED A7 FE 8C 6A CD F1 35 9D  M.O..,.....j..5.
0x0230: EE 91 AF 47 E2 4D 36 06 99 16 32 2F 23 0C 46 54  ...G.M6...2/#.FT
0x0240: 60 64 F3 9E 98 E8 30 36 64 D0 04 77 7E 35 3A BD  `d....06d..w~5:.
0x0250: AC 96 3E 1F B1 BC 92 F6 61 B0 33 28 5F 2D 4F 05  ..>.....a.3(_-O.
0x0260: B2 AC                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


3. These packets seem to be mapping our network? Anyone seen this payload 
before? The destination IP Address is actually in the payload of the packet.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/01-13:28:27.133331 0:D:60:5:79:31 -> 0:9:6B:61:70:5D type:0x800 len:0x62
10.46.137.71 -> 10.46.137.230 ICMP TTL:128 TOS:0x0 ID:2640 IpLen:20 DgmLen:84
Type:8  Code:0  ID:33794   Seq:0  ECHO
0x0000: 00 09 6B 61 70 5D 00 0D 60 05 79 31 08 00 45 00  ..kap]..`.y1..E.
0x0010: 00 54 0A 50 00 00 80 01 08 D0 0A 2E 89 47 0A 2E  .T.P.........G..
0x0020: 89 E6 08 00 6E 21 84 02 00 00 31 30 2E 34 36 2E  ....n!....10.46.
0x0030: 31 33 37 2E 32 33 30 00 0E 0F 10 11 12 13 14 15  137.230.........
0x0040: 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25  .......... !"#$%
0x0050: 26 27 28 29 2A 2B 00 00 00 00 00 00 00 00 00 00  &'()*+..........
0x0060: 00 00                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/01-13:28:27.133353 0:9:6B:61:70:5D -> 0:D:60:5:79:31 type:0x800 len:0x62
10.46.137.230 -> 10.46.137.71 ICMP TTL:128 TOS:0x0 ID:41013 IpLen:20 DgmLen:84
Type:0  Code:0  ID:33794  Seq:0  ECHO REPLY
0x0000: 00 0D 60 05 79 31 00 09 6B 61 70 5D 08 00 45 00  ..`.y1..kap]..E.
0x0010: 00 54 A0 35 00 00 80 01 72 EA 0A 2E 89 E6 0A 2E  .T.5....r.......
0x0020: 89 47 00 00 76 21 84 02 00 00 31 30 2E 34 36 2E  .G..v!....10.46.
0x0030: 31 33 37 2E 32 33 30 00 0E 0F 10 11 12 13 14 15  137.230.........
0x0040: 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25  .......... !"#$%
0x0050: 26 27 28 29 2A 2B 00 00 00 00 00 00 00 00 00 00  &'()*+..........
0x0060: 00 00                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/01-13:29:51.291558 0:D:60:5:79:31 -> 0:9:6B:3:2E:0 type:0x800 len:0x62
10.46.137.71 -> 10.46.137.3 ICMP TTL:128 TOS:0x0 ID:6052 IpLen:20 DgmLen:84
Type:8  Code:0  ID:40194   Seq:0  ECHO
0x0000: 00 09 6B 03 2E 00 00 0D 60 05 79 31 08 00 45 00  ..k.....`.y1..E.
0x0010: 00 54 17 A4 00 00 80 01 FC 5E 0A 2E 89 47 0A 2E  .T.......^...G..
0x0020: 89 03 08 00 78 47 9D 02 00 00 31 30 2E 34 36 2E  ....xG....10.46.
0x0030: 31 33 37 2E 33 00 0C 0D 0E 0F 10 11 12 13 14 15  137.3...........
0x0040: 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25  .......... !"#$%
0x0050: 26 27 28 29 2A 2B 00 00 00 00 00 00 00 00 00 00  &'()*+..........
0x0060: 00 00                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/01-13:29:51.291939 0:D:60:5:79:31 -> 0:9:6B:38:5:85 type:0x800 len:0x62
10.46.137.71 -> 10.46.137.23 ICMP TTL:128 TOS:0x0 ID:6053 IpLen:20 DgmLen:84
Type:8  Code:0  ID:40450   Seq:0  ECHO
0x0000: 00 09 6B 38 05 85 00 0D 60 05 79 31 08 00 45 00  ..k8....`.y1..E.
0x0010: 00 54 17 A5 00 00 80 01 FC 49 0A 2E 89 47 0A 2E  .T.......I...G..
0x0020: 89 17 08 00 45 E7 9E 02 00 00 31 30 2E 34 36 2E  ....E.....10.46.
0x0030: 31 33 37 2E 32 33 00 0D 0E 0F 10 11 12 13 14 15  137.23..........
0x0040: 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25  .......... !"#$%
0x0050: 26 27 28 29 2A 2B 34 FE 0F 35 36 DF FD 74 C8 30  &'()*+4..56..t.0
0x0060: FD 74                                            .t

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



-----Original Message-----
From: kyle.r.maxwell at verizon.com [mailto:kyle.r.maxwell at verizon.com]
Sent: Monday, March 01, 2004 2:24 PM
To: Eric Hines
Cc: focus-incidents at securityfocus.com; intrusions at incidents.org;
list at dshield.org
Subject: Re: Abnormal ICMP Traffic -- Please advise


I haven't processed it to be sure, but the "JFIF" in the payload makes me 
think it may be a JPEG. Google for "wang2 jfif" and you'll see some 
related posts.

--
Kyle Maxwell
InfoSec Engineer
Verizon Global Security Operations Center
kyle.r.maxwell at verizon.com




Eric Hines, GCIA

-------------------------------------------
Eric Hines, GCIA
CEO, Chairman
Applied Watch Technologies, Inc.
web: http://www.appliedwatch.com
email: eric.hines at appliedwatch.com
-------------------------------------------
Direct: (877) 262-7593 - Toll Free x327
Fax: (815) 425-2173
General: (877) 262-7593 (9am-5pm CST)
-------------------------------------------






----- End forwarded message -----




More information about the list mailing list