Security Basics mailing list archives

Re: Strange pings from 127.0.0.1

From: Kelly John Rose <mllists () ptbcanadian net>
Date: Tue, 22 Jun 2004 16:07:55 -0400

Nope, that's completely useless. You can for one spoof mac addresses, sohaving any mac address is more or less meaningless. But, also, there isno reliable way to use the mac address to find the machine, unless it'san internal machine, you having the mac addresses of all internalmachines written down, and the person is not spoofing.

Eitherway, having the mac address doesn't help you at all tracking downthe culprit really.

.....Kelly John Rose.....

Andrew Aris wrote:

I'm coming into this thread partway through so sorry if this is a dumb reply
but if the mAC address is always the same then surely this could be used to
trace the culprit host?
-----Original Message-----
From: Timothy Schwimer [mailto:tschwimer () hotmail com]
Sent: 18 June 2004 03:26
To: talukdar_m () subway com; security-basics () securityfocus com
Subject: Re: Strange pings from 127.0.0.1
Not yet. Doesn't sound like you're having the same issue though. Mineis all ICMP traffic, all sourced from the loopback, but destined toseveral different host IP's. In addition, the source and dest MAC arealways the same regardless of the IP's.I'm fairly certain that I've got a compromised host, but with thesource IP being a loopback, I've got no way of deducing which host.
From: Murad Talukdar <talukdar_m () subway com>
To: Tim Schwimer <tschwimer () hotmail com>,security-basics () securityfocus com
Subject: Re: Strange pings from 127.0.0.1
Date: Fri, 18 Jun 2004 09:43:07 +1000

I've been getting this on my router logs saying that the tcp
got dropped.
Source:127.0.0.1, 80, WAN - Destination:210.80.144.150,
1912, LAN -
'Suspicious TCP Data'

Did you work out what it was with the pings? Not sure if
it's similar
or not.

Murad Talukdar


----- Original Message -----
From: "Tim Schwimer" <tschwimer () hotmail com>
To: <security-basics () securityfocus com>
Sent: Sunday, June 13, 2004 5:24 PM
Subject: Re: Strange pings from 127.0.0.1
In-Reply-To:
<GAEPLEDFDDGJLBGAABCNKENBCMAA.gg () stober mailsnare net>
I started seeing the same thing on my DMZ segments this Fridayafternoon
at about 4:00pm (figures, huh??). Anyway, I was wondering what youfound out about this. Any insight would be appreciated.
Thanks,
T
Received: (qmail 20239 invoked from network); 14 May
2004 15:58:54
-0000
Received: from outgoing.securityfocus.com (HELO
outgoing2.securityfocus.com) (205.206.231.26)
by mail.securityfocus.com with SMTP; 14 May 2004 15:58:54 -0000
Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
by outgoing2.securityfocus.com (Postfix) with QMQP id4018A1437B0; Fri, 14 May 2004 17:53:53 -0600 (MDT)
Mailing-List: contact
security-basics-help () securityfocus com; run
by
ezmlm
Precedence: bulk
List-Id: <security-basics.list-id.securityfocus.com>
List-Post: <mailto:security-basics () securityfocus com>
List-Help: <mailto:security-basics-help () securityfocus com>
List-Unsubscribe:
<mailto:security-basics-unsubscribe () securityfocus com>
List-Subscribe:<mailto:security-basics-subscribe () securityfocus com>
Delivered-To: mailing list security-basics () securityfocus com
Delivered-To: moderator for security-basics () securityfocus com
Received: (qmail 13781 invoked from network); 13 May
2004 21:45:06
-0000
From: "Marc" <gg () stober mailsnare net>
To: <security-basics () securityfocus com>
Subject: Strange pings from 127.0.0.1
Date: Thu, 13 May 2004 23:55:35 -0400
Message-ID:
<GAEPLEDFDDGJLBGAABCNKENBCMAA.gg () stober mailsnare net>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Importance: Normal
The networked applications I am responsbile for have beenperforming
slowly.
When I tried to run Ethereal on my computer, I found
some odd ICMP
echo request (ping) packets with a source IP of 127.0.01, toaddresses both within our 192.168.1.* network as well as
to random Internet addresses.
The
source and destination Mac addresses aren't anything I canassociate
with
a
computer on our network (and they're not the real Mac
address of my
computer), so I think maybe these packets are spoofed?
Could this
be
some
sort of virus or DOS attack somewhere within our network? I'vehaven't
seen
anything quite like this mentioned online anywhere.

Thanks, Marc
---------------------------------------------------------------------
------
Ethical Hacking at the InfoSec Institute. Mention this
ad and get
$545
off
any course! All of our class sizes are guaranteed to be
10 students
or
less
to facilitate one-on-one interaction with one of our expert
instructors.
Attend a course taught by an expert instructor with years of
in-the-field
pen testing experience in our state of the art hacking
lab. Master
the
skills
of an Ethical Hacker to better assess the security of your
organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.ht
ml
---------------------------------------------------------------------
------
-
-------------------------------------------------------------
----------
---
-
Ethical Hacking at the InfoSec Institute. Mention this ad and get
$545
off
any course! All of our class sizes are guaranteed to be
10 students
or
less
to facilitate one-on-one interaction with one of our
expert instructors.
Attend a course taught by an expert instructor with years of
in-the-field
pen testing experience in our state of the art hacking
lab. Master
the
skills
of an Ethical Hacker to better assess the security of
your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.htm
l
-------------------------------------------------------------
----------
---
--
_________________________________________________________________
Watch the online reality show Mixed Messages with a friend and enterto win a trip to NYhttp://www.msnmessenger-download.click-url.com/go/onm00200497a
ve/direct/01/


--------------------------------------------------------------
-------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545off any course! All of our class sizes are guaranteed to be 10students or less to facilitate one-on-one interaction with one of ourexpert instructors.Attend a course taught by an expert instructor with years ofin-the-field pen testing experience in our state of the art hackinglab. Master the skills of an Ethical Hacker to better assess thesecurity of your organization.Visit us at:http://www.infosecinstitute.com/courses/ethical_hacking_training.html
--------------------------------------------------------------
--------------
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 offany course! All of our class sizes are guaranteed to be 10 students or lessto facilitate one-on-one interaction with one of our expert instructors.Attend a course taught by an expert instructor with years of in-the-fieldpen testing experience in our state of the art hacking lab. Master the skillsof an Ethical Hacker to better assess the security of your organization.Visit us at:http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------



---------------------------------------------------------------------------

Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 offany course! All of our class sizes are guaranteed to be 10 students or lessto facilitate one-on-one interaction with one of our expert instructors.Attend a course taught by an expert instructor with years of in-the-fieldpen testing experience in our state of the art hacking lab. Master the skillsof an Ethical Hacker to better assess the security of your organization.Visit us at:http://www.infosecinstitute.com/courses/ethical_hacking_training.html

----------------------------------------------------------------------------

Current thread:

Re: Strange pings from 127.0.0.1 Tim Schwimer (Jun 14)
- Re: Strange pings from 127.0.0.1 Murad Talukdar (Jun 18)
- <Possible follow-ups>
- Re: Strange pings from 127.0.0.1 Timothy Schwimer (Jun 18)
  - Re: Strange pings from 127.0.0.1 Ranjeet Shetye (Jun 21)
    - Re: Strange pings from 127.0.0.1 Nelson Santos (Jun 23)
    - RE: Strange pings from 127.0.0.1 David Gillett (Jun 24)
- Strange pings from 127.0.0.1 Andrew Aris (Jun 22)
  - Re: Strange pings from 127.0.0.1 Alan Hicks (Jun 23)
  - Re: Strange pings from 127.0.0.1 Kelly John Rose (Jun 23)
    - RE: Strange pings from 127.0.0.1 David Gillett (Jun 24)
    - RE: Strange pings from 127.0.0.1 Andrew Aris (Jun 24)
    - Re: Strange pings from 127.0.0.1 Kelly John Rose (Jun 25)
    - Re: Strange pings from 127.0.0.1 SecurityFocus Lists (Jun 24)
    - Re: Strange pings from 127.0.0.1 Kelly John Rose (Jun 25)
- Re: Strange pings from 127.0.0.1 Tim Schwimer (Jun 24)
  - RE: Strange pings from 127.0.0.1 David Gillett (Jun 25)
- RE: Strange pings from 127.0.0.1 Steven Trewick (Jun 24)
  - Re: Strange pings from 127.0.0.1 Ranjeet Shetye (Jun 26)
- RE: Strange pings from 127.0.0.1 Timothy Schwimer (Jun 28)