Attack of the icmp pinging morons.........

Rick Meeker rmeeker at kc.rr.com
Sun Aug 24 17:51:51 CDT 2003 

Ever since Code Red, the data LED on my cable modem hasn't quit.  My router
is dropping incoming packets like crazy.

-----Original Message-----
From: owner-kclug at marauder.illiana.net
[mailto:owner-kclug at marauder.illiana.net]On Behalf Of Gerald Combs
Sent: Sunday, August 24, 2003 11:57 AM
To: Hanasaki JiJi
Cc: List - KCLUG
Subject: Re: Attack of the icmp pinging morons.........

This is apparently the Welchia worm.  It's someone's idea of a clever
response to the Blaster worm -- it scans for vulnerable hosts and tries
to patch and disinfect them:

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.htm
l

There was a discussion about it on snort-users this past week:

  http://marc.theaimsgroup.com/?t=106154973500001&r=1&w=2

I'm seeing a ping request on my outside interface every five or ten
seconds.  I'm also seeing one or two dozen ARP requests per second,
which is a hint that my subnet is being scanned heavily.  If this keeps
up, the LEDs on my cable modem, and NIC will burn out.

On Sun, 24 Aug 2003, Hanasaki JiJi wrote:

> Anyone else getting pinged DOS from
> 	"ICMP PING CyberKit 2.2 Windows"
> This is the report from Snort.  There were over 12,000 of them in the
> last 24hours.  This number has been increasing over the last week.  Most
> of the offending IP's seem to be from RR accounts.  Examples below:
>
> Events from same host to same destination using same method
>   # of  from             to               method
>     26  65.30.112.72     65.30.34.80      ICMP PING CyberKit 2.2 Windows
>     19  65.30.148.72     65.30.34.80      ICMP PING CyberKit 2.2 Windows
>     17  65.30.97.9       65.30.34.80      ICMP PING CyberKit 2.2 Windows
>     15  65.30.193.88     65.30.34.80      ICMP PING CyberKit 2.2 Windows
>     14  65.30.205.204    65.30.34.80      ICMP PING CyberKit 2.2 Windows
>     14  65.29.6.220      65.30.34.80      ICMP PING CyberKit 2.2 Windows
>     14  65.30.146.224    65.30.34.80      ICMP PING CyberKit 2.2 Windows
>     14  65.30.140.219    65.30.34.80      ICMP PING CyberKit 2.2 Windows
>     14  65.29.219.81     65.30.34.80      ICMP PING CyberKit 2.2 Windows
> ...
>
>
> --
> = Management is doing things right; leadership is doing the     =
> =       right things.    - Peter Drucker                        =
> =_______________________________________________________________=
> =     http://www.sun.com/service/sunps/jdc/javacenter.pdf       =
> =  www.sun.com | www.javasoft.com | http://www.sun.com/sunone   =
>
>
>
>

More information about the Kclug mailing list