PC Review


Reply
Thread Tools Rate Thread

Wierd ICMP activity

 
 
David Scott
Guest
Posts: n/a
 
      10th Feb 2004
I have two networks geographically (and logically) separated between two
cities, joined via a PPTP VPN using ISA server. A network dump has shown me
some weird ICMP activity I'm trying to chase down.

I have hosts on one network chattering to a Windows 2000 domain controller
in the other location with some huge ICMP packets. Tunnelled in the packet
is a Microsoft logo image (notice the JFIF header). A sample of the ICMP
data is below (this is from the intrusions.org list - you can get a full
dump here http://www.incidents.org/archives/in.../msg14866.html)

> 14:20:29.334511 192.168.19.47 > xxx.xxx.xxx.xxx: icmp: echo request
> (frag 7715:1480@x+) (ttl 128, len 1500)
> 0x0000 4500 05dc 1e23 2000 8001 e487 c0a8 132f E....#........./
> 0x0010 xxxx xxxx 0800 08d5 0200 b100 ffd8 fffe .m22............
> 0x0020 0008 5741 4e47 3202 ffe0 0010 4a46 4946 ..WANG2.....JFIF
> 0x0030 0001 0101 0060 0060 0000 ffdb 0043 0010 .....`.`.....C..
> 0x0040 0b0c 0e0c 0a10 0e0d 0e12 1110 1318 281a ..............(.
> 0x0050 1816 1618 3123 251d 283a 333d 3c39 3338 ....1#%.(:3=<938
> 0x0060 3740 485c 4e40 4457 4537 3850 6d51 575f 7@x\N@xxxxxxxxxx
> 0x0070 6267 6867 3e4d 7179 7064 785c 6567 63ff bghg>Mqypdx\egc.
> 0x0080 db00 4301 1112 1218 1518 2f1a 1a2f 6342 ..C......./../cB
> 0x0090 3842 6363 6363 6363 6363 6363 6363 6363 8Bcccccccccccccc
> 0x00a0 6363 6363 6363 6363 6363 6363 6363 6363 cccccccccccccccc
> 0x00b0 6363 6363 6363 6363 6363 6363 6363 6363 cccccccccccccccc
> 0x00c0 6363 6363 ffc0 0011 0800 2600 9e03 0121 cccc......&....!


I've googled and googled, but can't find a definitive answer for this
transfer and if it's covert or if it's something that MS is doing to monitor
connections via slow links, or WHAT? Can anyone point me to an answer?

Thanks,

David Scott


 
Reply With Quote
 
 
 
 
Marc Reynolds [MSFT]
Guest
Posts: n/a
 
      10th Feb 2004
Sounds like the ICMP's used by Slow Link detection. See 816045 A Fast Link
May Be Detected as a Slow Link Because of Network ICMP
http://support.microsoft.com/?id=816045

--

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.


"David Scott" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I have two networks geographically (and logically) separated between two
> cities, joined via a PPTP VPN using ISA server. A network dump has shown

me
> some weird ICMP activity I'm trying to chase down.
>
> I have hosts on one network chattering to a Windows 2000 domain controller
> in the other location with some huge ICMP packets. Tunnelled in the packet
> is a Microsoft logo image (notice the JFIF header). A sample of the ICMP
> data is below (this is from the intrusions.org list - you can get a full
> dump here http://www.incidents.org/archives/in.../msg14866.html)
>
> > 14:20:29.334511 192.168.19.47 > xxx.xxx.xxx.xxx: icmp: echo request
> > (frag 7715:1480@x+) (ttl 128, len 1500)
> > 0x0000 4500 05dc 1e23 2000 8001 e487 c0a8 132f E....#........./
> > 0x0010 xxxx xxxx 0800 08d5 0200 b100 ffd8 fffe .m22............
> > 0x0020 0008 5741 4e47 3202 ffe0 0010 4a46 4946 ..WANG2.....JFIF
> > 0x0030 0001 0101 0060 0060 0000 ffdb 0043 0010 .....`.`.....C..
> > 0x0040 0b0c 0e0c 0a10 0e0d 0e12 1110 1318 281a ..............(.
> > 0x0050 1816 1618 3123 251d 283a 333d 3c39 3338 ....1#%.(:3=<938
> > 0x0060 3740 485c 4e40 4457 4537 3850 6d51 575f 7@x\N@xxxxxxxxxx
> > 0x0070 6267 6867 3e4d 7179 7064 785c 6567 63ff bghg>Mqypdx\egc.
> > 0x0080 db00 4301 1112 1218 1518 2f1a 1a2f 6342 ..C......./../cB
> > 0x0090 3842 6363 6363 6363 6363 6363 6363 6363 8Bcccccccccccccc
> > 0x00a0 6363 6363 6363 6363 6363 6363 6363 6363 cccccccccccccccc
> > 0x00b0 6363 6363 6363 6363 6363 6363 6363 6363 cccccccccccccccc
> > 0x00c0 6363 6363 ffc0 0011 0800 2600 9e03 0121 cccc......&....!

>
> I've googled and googled, but can't find a definitive answer for this
> transfer and if it's covert or if it's something that MS is doing to

monitor
> connections via slow links, or WHAT? Can anyone point me to an answer?
>
> Thanks,
>
> David Scott
>
>



 
Reply With Quote
 
 
 
 
David Scott
Guest
Posts: n/a
 
      11th Feb 2004
Thanks, Mark. You're probably right, based on the fragmentation information
sent back from the remote host to the DC. One thing, though - I don't see
anything in the article about the tunneling of the Microsoft image through
ICMP. Do you know if this is just undocumented? The reason I want to nail
this down is to rule out any possible Trojan activity.

Thanks,

David

"Marc Reynolds [MSFT]" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Sounds like the ICMP's used by Slow Link detection. See 816045 A Fast Link
> May Be Detected as a Slow Link Because of Network ICMP
> http://support.microsoft.com/?id=816045
>
> --
>
> Thanks,
> Marc Reynolds
> Microsoft Technical Support
>
> This posting is provided "AS IS" with no warranties, and confers no

rights.
>
>
> "David Scott" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > I have two networks geographically (and logically) separated between two
> > cities, joined via a PPTP VPN using ISA server. A network dump has shown

> me
> > some weird ICMP activity I'm trying to chase down.
> >
> > I have hosts on one network chattering to a Windows 2000 domain

controller
> > in the other location with some huge ICMP packets. Tunnelled in the

packet
> > is a Microsoft logo image (notice the JFIF header). A sample of the ICMP
> > data is below (this is from the intrusions.org list - you can get a full
> > dump here http://www.incidents.org/archives/in.../msg14866.html)
> >
> > > 14:20:29.334511 192.168.19.47 > xxx.xxx.xxx.xxx: icmp: echo request
> > > (frag 7715:1480@x+) (ttl 128, len 1500)
> > > 0x0000 4500 05dc 1e23 2000 8001 e487 c0a8 132f E....#........./
> > > 0x0010 xxxx xxxx 0800 08d5 0200 b100 ffd8 fffe .m22............
> > > 0x0020 0008 5741 4e47 3202 ffe0 0010 4a46 4946 ..WANG2.....JFIF
> > > 0x0030 0001 0101 0060 0060 0000 ffdb 0043 0010 .....`.`.....C..
> > > 0x0040 0b0c 0e0c 0a10 0e0d 0e12 1110 1318 281a ..............(.
> > > 0x0050 1816 1618 3123 251d 283a 333d 3c39 3338 ....1#%.(:3=<938
> > > 0x0060 3740 485c 4e40 4457 4537 3850 6d51 575f 7@x\N@xxxxxxxxxx
> > > 0x0070 6267 6867 3e4d 7179 7064 785c 6567 63ff bghg>Mqypdx\egc.
> > > 0x0080 db00 4301 1112 1218 1518 2f1a 1a2f 6342 ..C......./../cB
> > > 0x0090 3842 6363 6363 6363 6363 6363 6363 6363 8Bcccccccccccccc
> > > 0x00a0 6363 6363 6363 6363 6363 6363 6363 6363 cccccccccccccccc
> > > 0x00b0 6363 6363 6363 6363 6363 6363 6363 6363 cccccccccccccccc
> > > 0x00c0 6363 6363 ffc0 0011 0800 2600 9e03 0121 cccc......&....!

> >
> > I've googled and googled, but can't find a definitive answer for this
> > transfer and if it's covert or if it's something that MS is doing to

> monitor
> > connections via slow links, or WHAT? Can anyone point me to an answer?
> >
> > Thanks,
> >
> > David Scott
> >
> >

>
>



 
Reply With Quote
 
Marc Reynolds [MSFT]
Guest
Posts: n/a
 
      11th Feb 2004
To my knowledge it is not documented, but I've seen this quite a few times
in the past.


--

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.


"David Scott" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks, Mark. You're probably right, based on the fragmentation

information
> sent back from the remote host to the DC. One thing, though - I don't see
> anything in the article about the tunneling of the Microsoft image through
> ICMP. Do you know if this is just undocumented? The reason I want to nail
> this down is to rule out any possible Trojan activity.
>
> Thanks,
>
> David
>
> "Marc Reynolds [MSFT]" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > Sounds like the ICMP's used by Slow Link detection. See 816045 A Fast

Link
> > May Be Detected as a Slow Link Because of Network ICMP
> > http://support.microsoft.com/?id=816045
> >
> > --
> >
> > Thanks,
> > Marc Reynolds
> > Microsoft Technical Support
> >
> > This posting is provided "AS IS" with no warranties, and confers no

> rights.
> >
> >
> > "David Scott" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > I have two networks geographically (and logically) separated between

two
> > > cities, joined via a PPTP VPN using ISA server. A network dump has

shown
> > me
> > > some weird ICMP activity I'm trying to chase down.
> > >
> > > I have hosts on one network chattering to a Windows 2000 domain

> controller
> > > in the other location with some huge ICMP packets. Tunnelled in the

> packet
> > > is a Microsoft logo image (notice the JFIF header). A sample of the

ICMP
> > > data is below (this is from the intrusions.org list - you can get a

full
> > > dump here http://www.incidents.org/archives/in.../msg14866.html)
> > >
> > > > 14:20:29.334511 192.168.19.47 > xxx.xxx.xxx.xxx: icmp: echo request
> > > > (frag 7715:1480@x+) (ttl 128, len 1500)
> > > > 0x0000 4500 05dc 1e23 2000 8001 e487 c0a8 132f E....#........./
> > > > 0x0010 xxxx xxxx 0800 08d5 0200 b100 ffd8 fffe .m22............
> > > > 0x0020 0008 5741 4e47 3202 ffe0 0010 4a46 4946 ..WANG2.....JFIF
> > > > 0x0030 0001 0101 0060 0060 0000 ffdb 0043 0010 .....`.`.....C..
> > > > 0x0040 0b0c 0e0c 0a10 0e0d 0e12 1110 1318 281a ..............(.
> > > > 0x0050 1816 1618 3123 251d 283a 333d 3c39 3338 ....1#%.(:3=<938
> > > > 0x0060 3740 485c 4e40 4457 4537 3850 6d51 575f 7@x\N@xxxxxxxxxx
> > > > 0x0070 6267 6867 3e4d 7179 7064 785c 6567 63ff bghg>Mqypdx\egc.
> > > > 0x0080 db00 4301 1112 1218 1518 2f1a 1a2f 6342 ..C......./../cB
> > > > 0x0090 3842 6363 6363 6363 6363 6363 6363 6363 8Bcccccccccccccc
> > > > 0x00a0 6363 6363 6363 6363 6363 6363 6363 6363 cccccccccccccccc
> > > > 0x00b0 6363 6363 6363 6363 6363 6363 6363 6363 cccccccccccccccc
> > > > 0x00c0 6363 6363 ffc0 0011 0800 2600 9e03 0121 cccc......&....!
> > >
> > > I've googled and googled, but can't find a definitive answer for this
> > > transfer and if it's covert or if it's something that MS is doing to

> > monitor
> > > connections via slow links, or WHAT? Can anyone point me to an answer?
> > >
> > > Thanks,
> > >
> > > David Scott
> > >
> > >

> >
> >

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Alert if the travel activity is after the work activity Go Bucks!!! Microsoft Excel Worksheet Functions 3 11th Sep 2009 05:44 PM
Monitoring database activity or Compensating Resource Manager activity Scott Daniel Microsoft VB .NET 0 31st Jan 2005 02:20 AM
Internet Connection Sharing ICMP ECHO Identifier incorrect IanT Windows XP Help 4 23rd Jan 2005 03:51 PM
High ICMP activity Stefan Mueller Microsoft Windows 2000 Networking 2 24th Nov 2003 08:14 AM
Suspicious ICMP Activity Leonard Leffand Microsoft Windows 2000 Security 2 10th Sep 2003 02:48 AM


Features
 

Advertising
 

Newsgroups
 


All times are GMT +1. The time now is 03:26 AM.