Attack of the icmp pinging morons.........

Hanasaki JiJi hanasaki at hanaden.com
Sun Aug 24 17:34:26 CDT 2003 

Ah,,, the cure becomes its own desease! :(

Gerald Combs wrote:
> This is apparently the Welchia worm.  It's someone's idea of a clever
> response to the Blaster worm -- it scans for vulnerable hosts and tries
> to patch and disinfect them:
> 
>   http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
> 
> There was a discussion about it on snort-users this past week:
> 
>   http://marc.theaimsgroup.com/?t=106154973500001&r=1&w=2
> 
> I'm seeing a ping request on my outside interface every five or ten
> seconds.  I'm also seeing one or two dozen ARP requests per second,
> which is a hint that my subnet is being scanned heavily.  If this keeps
> up, the LEDs on my cable modem, and NIC will burn out.
> 
> 
> On Sun, 24 Aug 2003, Hanasaki JiJi wrote:
> 
> 
>>Anyone else getting pinged DOS from
>>	"ICMP PING CyberKit 2.2 Windows"
>>This is the report from Snort.  There were over 12,000 of them in the 
>>last 24hours.  This number has been increasing over the last week.  Most 
>>of the offending IP's seem to be from RR accounts.  Examples below:
>>
>>Events from same host to same destination using same method
>>  # of  from             to               method
>>    26  65.30.112.72     65.30.34.80      ICMP PING CyberKit 2.2 Windows
>>    19  65.30.148.72     65.30.34.80      ICMP PING CyberKit 2.2 Windows
>>    17  65.30.97.9       65.30.34.80      ICMP PING CyberKit 2.2 Windows
>>    15  65.30.193.88     65.30.34.80      ICMP PING CyberKit 2.2 Windows
>>    14  65.30.205.204    65.30.34.80      ICMP PING CyberKit 2.2 Windows
>>    14  65.29.6.220      65.30.34.80      ICMP PING CyberKit 2.2 Windows
>>    14  65.30.146.224    65.30.34.80      ICMP PING CyberKit 2.2 Windows
>>    14  65.30.140.219    65.30.34.80      ICMP PING CyberKit 2.2 Windows
>>    14  65.29.219.81     65.30.34.80      ICMP PING CyberKit 2.2 Windows
>>...
>>
>>
>>-- 
>>= Management is doing things right; leadership is doing the     =
>>=       right things.    - Peter Drucker                        =
>>=_______________________________________________________________=
>>=     http://www.sun.com/service/sunps/jdc/javacenter.pdf       =
>>=  www.sun.com | www.javasoft.com | http://www.sun.com/sunone   =
>>
>>
>>
>>
> 
> 
> 
> 

-- 
= Management is doing things right; leadership is doing the     =
=       right things.    - Peter Drucker                        =
=_______________________________________________________________=
=     http://www.sun.com/service/sunps/jdc/javacenter.pdf       =
=  www.sun.com | www.javasoft.com | http://www.sun.com/sunone   =

More information about the Kclug mailing list