Re: Wierd ICMP activity
From: David Scott (davidscott_at_mtgroup.com)
Date: 02/11/04
- Next message: Bret: "Connect to Internet thru Lan"
- Previous message: Dave: "DHCP server not found: autoconfiguration IP addr."
- In reply to: Marc Reynolds [MSFT]: "Re: Wierd ICMP activity"
- Next in thread: Marc Reynolds [MSFT]: "Re: Wierd ICMP activity"
- Reply: Marc Reynolds [MSFT]: "Re: Wierd ICMP activity"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 10 Feb 2004 20:59:32 -0600
Thanks, Mark. You're probably right, based on the fragmentation information
sent back from the remote host to the DC. One thing, though - I don't see
anything in the article about the tunneling of the Microsoft image through
ICMP. Do you know if this is just undocumented? The reason I want to nail
this down is to rule out any possible Trojan activity.
Thanks,
David
"Marc Reynolds [MSFT]" <marcrey@online.microsoft.com> wrote in message
news:%23MSrAgA8DHA.2752@TK2MSFTNGP09.phx.gbl...
> Sounds like the ICMP's used by Slow Link detection. See 816045 A Fast Link
> May Be Detected as a Slow Link Because of Network ICMP
> http://support.microsoft.com/?id=816045
>
> --
>
> Thanks,
> Marc Reynolds
> Microsoft Technical Support
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> "David Scott" <davidscott@mtgroup.com> wrote in message
> news:OyS9vKA8DHA.2168@TK2MSFTNGP12.phx.gbl...
> > I have two networks geographically (and logically) separated between two
> > cities, joined via a PPTP VPN using ISA server. A network dump has shown
> me
> > some weird ICMP activity I'm trying to chase down.
> >
> > I have hosts on one network chattering to a Windows 2000 domain
controller
> > in the other location with some huge ICMP packets. Tunnelled in the
packet
> > is a Microsoft logo image (notice the JFIF header). A sample of the ICMP
> > data is below (this is from the intrusions.org list - you can get a full
> > dump here http://www.incidents.org/archives/intrusions/msg14866.html)
> >
> > > 14:20:29.334511 192.168.19.47 > xxx.xxx.xxx.xxx: icmp: echo request
> > > (frag 7715:1480@x+) (ttl 128, len 1500)
> > > 0x0000 4500 05dc 1e23 2000 8001 e487 c0a8 132f E....#........./
> > > 0x0010 xxxx xxxx 0800 08d5 0200 b100 ffd8 fffe .m22............
> > > 0x0020 0008 5741 4e47 3202 ffe0 0010 4a46 4946 ..WANG2.....JFIF
> > > 0x0030 0001 0101 0060 0060 0000 ffdb 0043 0010 .....`.`.....C..
> > > 0x0040 0b0c 0e0c 0a10 0e0d 0e12 1110 1318 281a ..............(.
> > > 0x0050 1816 1618 3123 251d 283a 333d 3c39 3338 ....1#%.(:3=<938
> > > 0x0060 3740 485c 4e40 4457 4537 3850 6d51 575f 7@x\N@xxxxxxxxxx
> > > 0x0070 6267 6867 3e4d 7179 7064 785c 6567 63ff bghg>Mqypdx\egc.
> > > 0x0080 db00 4301 1112 1218 1518 2f1a 1a2f 6342 ..C......./../cB
> > > 0x0090 3842 6363 6363 6363 6363 6363 6363 6363 8Bcccccccccccccc
> > > 0x00a0 6363 6363 6363 6363 6363 6363 6363 6363 cccccccccccccccc
> > > 0x00b0 6363 6363 6363 6363 6363 6363 6363 6363 cccccccccccccccc
> > > 0x00c0 6363 6363 ffc0 0011 0800 2600 9e03 0121 cccc......&....!
> >
> > I've googled and googled, but can't find a definitive answer for this
> > transfer and if it's covert or if it's something that MS is doing to
> monitor
> > connections via slow links, or WHAT? Can anyone point me to an answer?
> >
> > Thanks,
> >
> > David Scott
> >
> >
>
>
- Next message: Bret: "Connect to Internet thru Lan"
- Previous message: Dave: "DHCP server not found: autoconfiguration IP addr."
- In reply to: Marc Reynolds [MSFT]: "Re: Wierd ICMP activity"
- Next in thread: Marc Reynolds [MSFT]: "Re: Wierd ICMP activity"
- Reply: Marc Reynolds [MSFT]: "Re: Wierd ICMP activity"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
