Strange pings from 127.0.0.1

["Andrew Aris" <andrew () dev bigfishinternet co uk>]

I'm coming into this thread partway through so sorry if this is a dumb reply
but if the mAC address is always the same then surely this could be used to
trace the culprit host? 

> -----Original Message-----
> From: Timothy Schwimer [mailto:tschwimer () hotmail com]
> Sent: 18 June 2004 03:26
> To: talukdar_m () subway com; security-basics () securityfocus com
> Subject: Re: Strange pings from 127.0.0.1
>
> Not yet. Doesn't sound like you're having the same issue though. Mine 
> is all ICMP traffic, all sourced from the loopback, but destined to 
> several different host IP's.  In addition, the source and dest MAC are 
> always the same regardless of the IP's.
> I'm fairly certain that I've got a compromised host, but with the 
> source IP being a loopback, I've got no way of deducing which host.
>
>
> > From: Murad Talukdar <talukdar_m () subway com>
> > To: Tim Schwimer <tschwimer () hotmail com>, 
> > security-basics () securityfocus com
> > Subject: Re: Strange pings from 127.0.0.1
> > Date: Fri, 18 Jun 2004 09:43:07 +1000
> >
> > I've been getting this on my router logs saying that the tcp
> got dropped.
> >  Source:127.0.0.1, 80, WAN - Destination:210.80.144.150,
> 1912, LAN -
> > 'Suspicious TCP Data'
> >
> > Did you work out what it was with the pings? Not sure if
> it's similar
> > or not.
> >
> > Murad Talukdar
> >
> >
> > ----- Original Message -----
> > From: "Tim Schwimer" <tschwimer () hotmail com>
> > To: <security-basics () securityfocus com>
> > Sent: Sunday, June 13, 2004 5:24 PM
> > Subject: Re: Strange pings from 127.0.0.1
> >
> >
> > > In-Reply-To: 
> <GAEPLEDFDDGJLBGAABCNKENBCMAA.gg () stober mailsnare net>
> > > I started seeing the same thing on my DMZ segments this Friday 
> > > afternoon
> > at about 4:00pm (figures, huh??). Anyway, I was wondering what you 
> > found out about this. Any insight would be appreciated.
> > > Thanks,
> > > T
> > > > Received: (qmail 20239 invoked from network); 14 May
> 2004 15:58:54
> > -0000
> > > > Received: from outgoing.securityfocus.com (HELO
> > outgoing2.securityfocus.com) (205.206.231.26)
> > > >  by mail.securityfocus.com with SMTP; 14 May 2004 15:58:54 -0000
> > > > Received: from lists.securityfocus.com (lists.securityfocus.com
> > [205.206.231.19])
> > > > by outgoing2.securityfocus.com (Postfix) with QMQP  id 
> > > > 4018A1437B0; Fri, 14 May 2004 17:53:53 -0600 (MDT)
> > > > Mailing-List: contact
> security-basics-help () securityfocus com; run
> > > > by
> > ezmlm
> > > > Precedence: bulk
> > > > List-Id: <security-basics.list-id.securityfocus.com>
> > > > List-Post: <mailto:security-basics () securityfocus com>
> > > > List-Help: <mailto:security-basics-help () securityfocus com>
> > > > List-Unsubscribe: 
> > <mailto:security-basics-unsubscribe () securityfocus com>
> > > > List-Subscribe: 
> > > > <mailto:security-basics-subscribe () securityfocus com>
> > > > Delivered-To: mailing list security-basics () securityfocus com
> > > > Delivered-To: moderator for security-basics () securityfocus com
> > > > Received: (qmail 13781 invoked from network); 13 May
> 2004 21:45:06
> > -0000
> > > > From: "Marc" <gg () stober mailsnare net>
> > > > To: <security-basics () securityfocus com>
> > > > Subject: Strange pings from 127.0.0.1
> > > > Date: Thu, 13 May 2004 23:55:35 -0400
> > > > Message-ID: 
> <GAEPLEDFDDGJLBGAABCNKENBCMAA.gg () stober mailsnare net>
> > > > MIME-Version: 1.0
> > > > Content-Type: text/plain;
> > > > charset="iso-8859-1"
> > > > Content-Transfer-Encoding: 7bit
> > > > X-Priority: 3 (Normal)
> > > > X-MSMail-Priority: Normal
> > > > X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
> > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> > > > Importance: Normal
> > > >
> > > >
> > > > The networked applications I am responsbile for have been 
> > > > performing
> > slowly.
> > > > When I tried to run Ethereal on my computer, I found
> some odd ICMP
> > > > echo request (ping) packets with a source IP of 127.0.01, to 
> > > > addresses both within our 192.168.1.* network as well as
> to random Internet addresses.
> > The
> > > > source and destination Mac addresses aren't anything I can 
> > > > associate
> > with
> > a
> > > > computer on our network (and they're not the real Mac
> address of my
> > > > computer), so I think maybe these packets are spoofed? 
> Could this
> > > > be
> > some
> > > > sort of virus or DOS attack somewhere within our network? I've 
> > > > haven't
> > seen
> > > > anything quite like this mentioned online anywhere.
> > > >
> > > > Thanks, Marc
> >
> > ---------------------------------------------------------------------
> > > ------
> > > > Ethical Hacking at the InfoSec Institute. Mention this
> ad and get
> > > > $545
> > off
> > > > any course! All of our class sizes are guaranteed to be
> 10 students
> > > > or
> > less
> > > > to facilitate one-on-one interaction with one of our expert
> > instructors.
> > > > Attend a course taught by an expert instructor with years of
> > in-the-field
> > > > pen testing experience in our state of the art hacking
> lab. Master
> > > > the
> > skills
> > > > of an Ethical Hacker to better assess the security of your
> > organization.
> > > > Visit us at:
> > http://www.infosecinstitute.com/courses/ethical_hacking_training.ht
> > > > ml
> >
> > ---------------------------------------------------------------------
> > > ------
> > -
> > > >
> > -------------------------------------------------------------
> ----------
> > ---
> > -
> > > Ethical Hacking at the InfoSec Institute. Mention this ad and get
> > > $545
> > off
> > > any course! All of our class sizes are guaranteed to be
> 10 students
> > > or
> > less
> > > to facilitate one-on-one interaction with one of our
> expert instructors.
> > > Attend a course taught by an expert instructor with years of
> > in-the-field
> > > pen testing experience in our state of the art hacking
> lab. Master
> > > the
> > skills
> > > of an Ethical Hacker to better assess the security of
> your organization.
> > > Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.htm
> > > l
> > -------------------------------------------------------------
> ----------
> > ---
> > --
> > >
>
> _________________________________________________________________
> Watch the online reality show Mixed Messages with a friend and enter 
> to win a trip to NY 
> http://www.msnmessenger-download.click-url.com/go/onm00200497a
> ve/direct/01/
>
>
> --------------------------------------------------------------
> -------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 
> off any course! All of our class sizes are guaranteed to be 10 
> students or less to facilitate one-on-one interaction with one of our 
> expert instructors.
> Attend a course taught by an expert instructor with years of 
> in-the-field pen testing experience in our state of the art hacking 
> lab. Master the skills of an Ethical Hacker to better assess the 
> security of your organization.
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------
> --------------




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------