Attack of the icmp pinging morons.........

Gerald Combs gerald at ethereal.com
Sun Aug 24 16:57:31 CDT 2003 

This is apparently the Welchia worm.  It's someone's idea of a clever
response to the Blaster worm -- it scans for vulnerable hosts and tries
to patch and disinfect them:

  http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

There was a discussion about it on snort-users this past week:

  http://marc.theaimsgroup.com/?t=106154973500001&r=1&w=2

I'm seeing a ping request on my outside interface every five or ten
seconds.  I'm also seeing one or two dozen ARP requests per second,
which is a hint that my subnet is being scanned heavily.  If this keeps
up, the LEDs on my cable modem, and NIC will burn out.

On Sun, 24 Aug 2003, Hanasaki JiJi wrote:

> Anyone else getting pinged DOS from
> 	"ICMP PING CyberKit 2.2 Windows"
> This is the report from Snort.  There were over 12,000 of them in the 
> last 24hours.  This number has been increasing over the last week.  Most 
> of the offending IP's seem to be from RR accounts.  Examples below:
> 
> Events from same host to same destination using same method
>   # of  from             to               method
>     26  65.30.112.72     65.30.34.80      ICMP PING CyberKit 2.2 Windows
>     19  65.30.148.72     65.30.34.80      ICMP PING CyberKit 2.2 Windows
>     17  65.30.97.9       65.30.34.80      ICMP PING CyberKit 2.2 Windows
>     15  65.30.193.88     65.30.34.80      ICMP PING CyberKit 2.2 Windows
>     14  65.30.205.204    65.30.34.80      ICMP PING CyberKit 2.2 Windows
>     14  65.29.6.220      65.30.34.80      ICMP PING CyberKit 2.2 Windows
>     14  65.30.146.224    65.30.34.80      ICMP PING CyberKit 2.2 Windows
>     14  65.30.140.219    65.30.34.80      ICMP PING CyberKit 2.2 Windows
>     14  65.29.219.81     65.30.34.80      ICMP PING CyberKit 2.2 Windows
> ...
> 
> 
> -- 
> = Management is doing things right; leadership is doing the     =
> =       right things.    - Peter Drucker                        =
> =_______________________________________________________________=
> =     http://www.sun.com/service/sunps/jdc/javacenter.pdf       =
> =  www.sun.com | www.javasoft.com | http://www.sun.com/sunone   =
> 
> 
> 
>

More information about the Kclug mailing list