Re: Strange Large ICMP packets IDS246

To: debian-security@lists.debian.org
Subject: Re: Strange Large ICMP packets IDS246
From: Marcel Weber <mmweber@ncpro.com>
Date: Tue, 19 Nov 2002 01:13:05 +0100
Message-id: <[🔎] 3DD98211.5060903@ncpro.com>
References: <[🔎] Pine.LNX.4.33.0211182324580.22065-100000@eeek.org.uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

Thanks very much. The probably hacked windows 2000 servers have nothing to do with
debian though. I first thought of a false snort alarm of the debian box I
am using as a nids.

Goosh... Windoze is evil though...

Marcel


enyc@eeek.org.uk wrote:
|>Today I had a whole bunch of large ICMP packages on the company's LAN (about 20).
|>Interesting is, that they came mostly from the Windows 2000 Servers. I
|>discovered the first of these packages 2 or 3 weeks ago.
|>These packets are long (2090 Bytes) and not filled with nulls, but with
|>more or less weird content. They have no "Don't fragment" flags set, so I
|>wonder where they come from and what they good for.
|>Has anybody seem such packets yet? (See attachment)
|
| Looking at your packet --
|
|
|>0000  00 e0 7d 8a 07 11 00 a0 c9 af bb 7f 08 00 45 00   ..}...........E.
|>0010  08 1c ff d7 00 00 80 01 e8 aa c0 a8 64 1e c0 a8   ............d...
|>0020  64 ef 00 00 bd d5 02 00 04 00 ff d8 ff fe 00 08   d...............
|>0030  57 41 4e 47 32 02 ff e0 00 10 4a 46 49 46 00 01   WANG2.....JFIF..
|>0040  01 01 00 60 00 60 00 00 ff db 00 43 00 10 0b 0c   ...`.`.....C....
|>0050  0e 0c 0a 10 0e 0d 0e 12 11 10 13 18 28 1a 18 16   ............(...
|>0060  16 18 31 23 25 1d 28 3a 33 3d 3c 39 33 38 37 40   ..1#%.(:3=<9387@
|>0070  48 5c 4e 40 44 57 45 37 38 50 6d 51 57 5f 62 67   H\N@DWE78PmQW_bg
|
| [...cut...]
|
|>07f0  a7 fe 8c 6a cd f1 35 9d ee 91 af 47 e2 4d 36 06   ...j..5....G.M6.
|>0800  99 16 32 2f 23 0c 46 54 60 64 f3 9e 98 e8 30 36   ..2/#.FT`d....06
|>0810  64 d0 04 77 7e 35 3a bd ac 96 3e 1f b1 bc 92 f6   d..w~5:...>.....
|>0820  61 b0 33 28 5f 2d 4f 05 b2 ac                     a.3(_-O...
|
|
| This looks like a JPG picture !
| -- I cut out the data from this packet-dump into a file --
| STARTING from location 0034 -- starting from the "2" after "WANG" --
| so file starts with [32 02 ff e0 00 10 4a 46 49 46] ("2.....JFIF") --
| upto the end of the packet....
| all looks very like a JPG file -- except it starts with [32 02] --
| I replaced the first 2 bytes in the file with [FF D8] (correct start of
| JPG file -- this JPG displays -- appears to be an incomplete JPG of the
| 3vil word "Microsoft" -- except some of the jpg cut-off/not-shown (may
| not display in some jpg-viewers therefore).
|
| Hangon.. surely this message is off-topic -- what does this have to do
| with debian-linux ??
|
| Heh.. This is first time I've posted to a mailing list actually.. thinking
| abuot it =).
|
|



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQE92YIR1EXMUTKVE5URAg7NAJ4183MavSgzk1kCtmj2eLZ2uV+W+ACgtbhI
KLSxi0QgFtCguXOvW8tpDNA=
=6U4A
-----END PGP SIGNATURE-----

Reply to:

References:
- Re: Strange Large ICMP packets IDS246
  - From: <enyc@eeek.org.uk>

Prev by Date: Re: Strange Large ICMP packets IDS246
Next by Date: Re: Strange Large ICMP packets IDS246
Previous by thread: Re: Strange Large ICMP packets IDS246
Next by thread: Re: Strange Large ICMP packets IDS246
Index(es):
- Date
- Thread