11-13-2003 09:59 AM - edited 03-09-2019 05:31 AM
This is the "Nachi Worm ICMP Echo Request". I have my outside IDS shunning this signature and I can see that the internet router has "Deny" access lists for each alarm. But what is puzzling me is I also have an IDS inside on my server vlan that is reporting and outside attacker to one of my servers. I have looked over these servers with someone else and we can not find any trace of Nachi. The alarm also has no Source or Destination ports listed. In the past when I have had an infected machine there has been a src port 8 and an dest port listed. The outside addresses are one connection and a few have been to Korea. These servers should not have any reason to connect to the addresses listed as attackers. I am at a loss as to why I am getting these alarms. I should also add the the servers are patched with the latest Critical Updates and have the latest Anti-Virus.
11-13-2003 04:04 PM
does the icmp pattern look simular to this?
inetnum: 220.116.0.0 - 220.127.255.255
netname: KORNET
descr: KOREA TELECOM
descr: Network Management Center
country: KR
1 0.00000 a.b.c.d -> 220.117.223.36 ICMP Echo request (ID: 768 Sequence number: 49151)
2 73.59386 a.b.c.d -> 220.117.47.209 ICMP Echo request (ID: 768 Sequence number: 60689)
3 83.95402 a.b.c.d -> 220.117.84.48 ICMP Echo request (ID: 768 Sequence number: 43558)
4 106.05646 a.b.c.d -> 220.117.29.189 ICMP Echo request (ID: 768 Sequence number: 57152)
5 10.85057 a.b.c.d -> 220.117.147.40 ICMP Echo request (ID: 768 Sequence number: 35139)
6 83.58813 a.b.c.d -> 220.117.186.47 ICMP Echo request (ID: 768 Sequence number: 12120)
7 53.25838 a.b.c.d -> 220.117.236.176 ICMP Echo request (ID: 768 Sequence number: 22373)
8 14.82192 a.b.c.d -> 220.117.189.110 ICMP Echo request (ID: 768 Sequence number: 105)
9 14.11701 a.b.c.d -> 220.117.157.189 ICMP Echo request (ID: 768 Sequence number: 31084)
10 59.87000 a.b.c.d -> 220.117.0.155 ICMP Echo request (ID: 768 Sequence number: 15995)
11-17-2003 01:34 PM
Yes, This looks like what I am getting.
11-14-2003 09:47 AM
Could you possibly capture some of the ICMP traffic and send it to mcerha@cisco.com. We'll need some traffic to diagnose what's going on.
11-17-2003 01:41 PM
Can you tell me how best to capture this? I am think ing I use the IP logging on the IDS?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide