Re: Tracking source of ICMP packet

From: Bill Verzal (BVerzal_at_KOMATSUNA.COM)
Date: 10/11/03

  • Next message: G V Raju: "network time protocol daemon for AIX" 
    Date:         Sat, 11 Oct 2003 08:51:25 -0500
To: aix-l@Princeton.EDU

    Try lsof in combination with iptrace, ethereal or tcpdump. Between all of
    them, you should be able to figure it out.

    BV
    --------------------------------------------------------

    Bill Verzal
    AIX Administrator, Komatsu America
    (847) 970-3726 - direct
    (847) 970-4184 - fax

    |---------+---------------------------->
    | | "Pugliese, |
    | | Edward" |
    | | <s11018@SLK.COM> |
    | | Sent by: IBM AIX |
    | | Discussion List |
    | | <aix-l@Princeton.|
    | | EDU> |
    | | |
    | | |
    | | 09/23/2003 03:03 |
    | | PM |
    | | Please respond to|
    | | IBM AIX |
    | | Discussion List |
    | | |
    |---------+---------------------------->
    >-------------------------------------------------------------------------------------------------------------------------------|
      | |
      | To: aix-l@Princeton.EDU |
      | cc: |
      | Subject: Re: Tracking source of ICMP packet |
    >-------------------------------------------------------------------------------------------------------------------------------|

    But Nachia is a Windows related worm. The packets are being generated on
    my AIX host (maybe I wasn't specific enough in my description). I believe
    they are coming from an app as opposed to an SA tool. I am just having a
    difficult time correlating the packets to the original process. That is
    what I am trying to get assistance in locating.

    Thanks.

    -----Original Message-----
    From: Bill Verzal [mailto:BVerzal@KOMATSUNA.COM]
    Sent: Tuesday, September 23, 2003 3:56 PM
    To: aix-l@Princeton.EDU
    Subject: Re: Tracking source of ICMP packet

    If they are ICMP message "8" packets, you probably have the most recent
    worm Nachia or the Worm it was trying too clean.

    BV
    --------------------------------------------------------

    Bill Verzal
    AIX Administrator, Komatsu America
    (847) 970-3726 - direct
    (847) 970-4184 - fax

    |---------+---------------------------->
    | | "Pugliese, |
    | | Edward" |
    | | <s11018@SLK.COM> |
    | | Sent by: IBM AIX |
    | | Discussion List |
    | | <aix-l@Princeton.|
    | | EDU> |
    | | |
    | | |
    | | 09/23/2003 02:15 |
    | | PM |
    | | Please respond to|
    | | IBM AIX |
    | | Discussion List |
    | | |
    |---------+---------------------------->

    >---------------------------------------------------------------------------

    ----------------------------------------------------|
      |
    |
      | To: aix-l@Princeton.EDU
    |
      | cc:
    |
      | Subject: Tracking source of ICMP packet
    |

    >---------------------------------------------------------------------------

    ----------------------------------------------------|

    I have tracked down the source of some pesky ICMP packets to a certain
    host.
    I have confirmed it is the specific host by running "iptrace" and seeing
    the
    specific IP address for the source and destination that is in question for
    the "ECHO REQUEST". What I can not figure out is how to backtrack to the
    process that is generating the ICMP packets. Any assistance in how I
    might
    do this would be appreciated.

    Thanks,
    Ed

  • Next message: G V Raju: "network time protocol daemon for AIX"