Security Basics mailing list archives

Re: Ping Cyberkit 2.2

From: "GSimmonds" <gsimmonds () primus ca>
Date: Fri, 12 Sep 2003 23:03:09 -0400


----- Original Message ----- 
From: "Dr Aldo Medina" <aldomedina () hotpop com>
To: <security-basics () securityfocus com>
Sent: Thursday, September 11, 2003 10:12 PM
Subject: Ping Cyberkit 2.2

Since about a week, my snort logs are full of messages like this:

Sep  6 12:27:56 linuxserver snort: [1:483:2] ICMP PING CyberKit 2.2
Windows [Classification: Misc activity] [Priority: 3]: {ICMP}
200.95.132.194 -> 200.95.123.16

Running Linux Debian Woody. Should I be worried?


Not unless you are running win XP or 2K. There has been a lot of
Nachi/Welchia worm activity lately. An infected host uses echo request to
look for other hosts to infect. Followed by a TCP connection attempt to port
135 if it receives an echo reply.
http://vil.nai.com/vil/content/v_100559.htm

Even if you are not using an MS os, dropping inbound ICMP Type 8 would at
least prevent additional, useless inbound traffic. Unless you really need
it.
There is a good thread in the securityfocus firewalls archive.
http://www.securityfocus.com/archive/129/334807/2003-08-19/2003-08-25/1

Thanks for your time.

Gary



---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

Current thread:

Ping Cyberkit 2.2 Dr Aldo Medina (Sep 12)
- Re: Ping Cyberkit 2.2 Karma (Sep 15)
  - RE: Ping Cyberkit 2.2 Ian Kennedy (Sep 15)
- Re: Ping Cyberkit 2.2 GSimmonds (Sep 15)
- <Possible follow-ups>
- RE: Ping Cyberkit 2.2 Ryan Belcher (Sep 12)