Re: Tracking source of ICMP packet

From: Pugliese, Edward (s11018_at_SLK.COM)
Date: 09/23/03

  • Next message: Bradberry, Kenneth: "lost root password" 
    Date:         Tue, 23 Sep 2003 16:03:39 -0400
To: aix-l@Princeton.EDU

    But Nachia is a Windows related worm. The packets are being generated on
    my AIX host (maybe I wasn't specific enough in my description). I believe
    they are coming from an app as opposed to an SA tool. I am just having a
    difficult time correlating the packets to the original process. That is
    what I am trying to get assistance in locating.

    Thanks.

    -----Original Message-----
    From: Bill Verzal [mailto:BVerzal@KOMATSUNA.COM]
    Sent: Tuesday, September 23, 2003 3:56 PM
    To: aix-l@Princeton.EDU
    Subject: Re: Tracking source of ICMP packet

    If they are ICMP message "8" packets, you probably have the most recent
    worm Nachia or the Worm it was trying too clean.

    BV
    --------------------------------------------------------

    Bill Verzal
    AIX Administrator, Komatsu America
    (847) 970-3726 - direct
    (847) 970-4184 - fax

    |---------+---------------------------->
    | | "Pugliese, |
    | | Edward" |
    | | <s11018@SLK.COM> |
    | | Sent by: IBM AIX |
    | | Discussion List |
    | | <aix-l@Princeton.|
    | | EDU> |
    | | |
    | | |
    | | 09/23/2003 02:15 |
    | | PM |
    | | Please respond to|
    | | IBM AIX |
    | | Discussion List |
    | | |
    |---------+---------------------------->

    >---------------------------------------------------------------------------
    ----------------------------------------------------|
      |
    |
      | To: aix-l@Princeton.EDU
    |
      | cc:
    |
      | Subject: Tracking source of ICMP packet
    |

    >---------------------------------------------------------------------------
    ----------------------------------------------------|

    I have tracked down the source of some pesky ICMP packets to a certain
    host.
    I have confirmed it is the specific host by running "iptrace" and seeing
    the
    specific IP address for the source and destination that is in question for
    the "ECHO REQUEST". What I can not figure out is how to backtrack to the
    process that is generating the ICMP packets. Any assistance in how I
    might
    do this would be appreciated.

    Thanks,
    Ed

  • Next message: Bradberry, Kenneth: "lost root password"

    Relevant Pages

    • Re: highly secure live CD distro
      ... and therefore technically results in a host with ... > It also triples the amount of wasted inbound packets. ... but the question then becomes whether or not the worm skips ... Michael Zawrotny ...
      (comp.os.linux.security)
    • Re: Do I Have A Firewalled LAN Run By ISP In Between?
      ... from that host while at host ... running a layer within a layer, with a complex network address translation ... application called "Internet Connection Sharing". ... what those packets are for, ...
      (comp.security.firewalls)
    • Re: IP over RS232 serial port under QNX6 (devn-fd.so)
      ... Now i can 'ping' and receive correct answers from the remote host. ... Now i want to setup the TCP/IP stack on top of the serial port. ... When i 'ping' to the destination endpoint 10.0.0.185 from the source ... These packets were correct ARP-Broadcasts ...
      (comp.os.qnx)
    • Re: Duplicate Echo Replies with Channel Bonding
      ... In this mode both interfaces receive packets, ... >When both eth0 and eth1 are up and I ping from Host C to Host A I get ... >The destination network 192.168.120.0/24 exists on both Router A and ... Switch B does not have the MAC address in its MAC address table ...
      (RedHat)
    • Re: Ip spoof from 0.0.0.0
      ... - A passive spoofed portscan with the attacker on the local ... segment watching the response packets go out to the default ... If a host responds to the syn packet sourced from 0.0.0.0 with an ack, ... it goes to the router either with the destination IP address rewritten ...
      (Incidents)