"ICMP PING CyberKit 2.2 Windows"
Neil Alex Lee
For several days now, 3 or 4 ICMP Echo Requests have been sent to my
dialled-up Smoothwall every minute from several different IP's.
Has anyone else experienced this?
Is this part of some virus scanning technique?
Does anyone know a command to drop ICMP Echo Request packets?
Thanks for any help.
Bob
down, grabbed what he thought was the keyboard and started stroking in
alt.os.linux.smoothwall:
I've been seeing this constantly since Monday (18 August) at 1500 GMT, with
at least 90 percent of them being from within my (broadband) provider's
network. I attributed this to the recent wave of viruses we've had and the
fact that most users got hit with it in some form or another because they
had not downloaded the necessary patches to protect their machines.
=================================================================
Bob Ashley - UNIX Geek
usenet (at) house (dash) bowlrz (dot) org
Are you auto-extracting e-mail addresses? Then u...@ftc.gov and
rep...@fraud.org should be of special interest.
FLAMES > /dev/null
=================================================================
Neil Alex Lee
Echo Requests to determine available hosts before trying a tcp/135
connection.
The majority of this traffic is also coming from within my providers
network.
"Bob" <flames2...@cox.net> wrote in message
news:Xns93DF7030897B8s6...@68.1.17.6...
Bob
reached down, grabbed what he thought was the keyboard and started
stroking in alt.os.linux.smoothwall:
> Further research indicates it is due to the "Welchia" virus which sends
> ICMP Echo Requests to determine available hosts before trying a tcp/135
> connection.
>
> The majority of this traffic is also coming from within my providers
> network.
>
Gotta love those ordinary, dumb users ... no protection and will open every
attachment they receive. *SIGH*
Nep2n
As long as you don't have port 135 fwd'd externally, you should be fine.
"Bob" <flames2...@cox.net> wrote in message
news:Xns93E01FC7B224As6...@68.1.17.6...
Paul Bottomley
day !!! this is something that will kill my firewall? is there a way to stop
ping replies in smoothie? 2.0 orient patch 2
"Nep2n" <pla...@solarsystem.net> wrote in message
news:vkitlmj...@corp.supernews.com...
Bob
<botto...@hotmail.com> reached down, grabbed what he thought was the
keyboard and started stroking in alt.os.linux.smoothwall:
> I too have these pings, its filling my log files at the rate of 100 meg
> a day !!! this is something that will kill my firewall? is there a way
> to stop ping replies in smoothie? 2.0 orient patch 2
>
I was reading at the Smoothwall web site a way to filter out IGMP packets
using ipchains ... I'm sure the ICMP packets could be done the same way.
The web site ... http://www.quarkav.com/SmoothWallGPL
HTH
Jason
> I too have these pings, its filling my log files at the rate of 100 meg a
> day !!! this is something that will kill my firewall? is there a way to stop
> ping replies in smoothie? 2.0 orient patch 2
>
2.0 run iptables or ipchains?
For iptables I have this:
Create /etc/rc.d/rc.local firewall and put the
following lines in it:
#!/bin/sh
# Custom Input Rule
/sbin/iptables -F CUSTOMINPUT
# Relieve your logs of MS induced congestion!
/sbin/iptables -A CUSTOMINPUT -p tcp --dport 135 -j DROP
/sbin/iptables -A CUSTOMINPUT -p udp --dport 135 -j DROP
/sbin/iptables -A CUSTOMINPUT -p tcp --dport 137 -j DROP
/sbin/iptables -A CUSTOMINPUT -p udp --dport 137 -j DROP
/sbin/iptables -A CUSTOMINPUT -p tcp --dport 139 -j DROP
/sbin/iptables -A CUSTOMINPUT -p udp --dport 139 -j DROP
/sbin/iptables -A CUSTOMINPUT -p tcp --dport 445 -j DROP
/sbin/iptables -A CUSTOMINPUT -p udp --dport 445 -j DROP
/sbin/iptables -A CUSTOMINPUT -p tcp --dport 1434 -j DROP
/sbin/iptables -A CUSTOMINPUT -p udp --dport 1434 -j DROP
Once it's installed, it will run automatically every time you reboot. If
you
just created it and don't want to reboot, just run it, like:
/etc/rc.d/rc.local <enter>
I'm not sure if that will help you or not but it sure cleared my log
file to a managable size. I have a ipchains version here somewhere
also.
Jason
Dave
However, this will make zero difference to ICMP packets.
--
Dave Harry
"Jason" <Ja...@beer.it.does.the.body.good> wrote in message
news:SUP4b.3200$Ej.4...@ursa-nb00s0.nbnet.nb.ca...
Dave
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING CyberKit 2.2
Windows"; content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:32;
reference:arachnids,154; sid:483; classtype:misc-activity; rev:2;)
You'll have to restart snort.
--
Dave Harry
Paul Bottomley
smoothie, that's quietened things down hell of a lot, but I like the idea of
filtering log entries in the icmp.rules. Not being a real Linux person and
hating VI with a passion it takes time to do these things. BUT still think
smoothie is what every person needs.
"Dave" <Da...@please.keep.replies.in.the.newsgroup> wrote in message
news:fZR4b.77496$bo1....@news-server.bigpond.net.au...
Dave
"Paul Bottomley" <botto...@hotmail.com> wrote in message
news:bj1ko8$maj$1...@hercules.btinternet.com...
> Thanks for all the hints, for now I have stopped ping replies from my
> smoothie, that's quietened things down hell of a lot, but I like the idea
of
> filtering log entries in the icmp.rules. Not being a real Linux person and
> hating VI with a passion it takes time to do these things. BUT still think
> smoothie is what every person needs.
Glad to help.
Since I'm somewhat a hack at Linux stuff too, and just can't cope with vi
either, (joe is a bit easier for me) I actually use WinSCP2 and Textpad to
copy files to a Windows box and edit them there. This gives me a backup of
everything I've done too.
--
Dave Harry