From: Vincent Cunniffe (vincent at domain diva.ie)
Date: Wed 18 Sep 2002 - 12:28:03 IST
Ronan Waide wrote:
> Hi folks,
>
> in the last two or three days my dialup box has received the following
> ping:
>
> 12:14:15.164115 IP: 194.186.135.40 > 213.116.40.21 type icmp
> 08 00 c3 1a 20 00 a6 1d 50 6c 65 61 73 65 20 68 .... ...Please h
> 65 6c 70 20 6d 65 2c 20 6d 61 74 72 69 78 20 63 elp me, matrix c
> 61 74 63 68 20 6d 65 20 00 atch me .
> 12:14:15.167737 IP: 213.116.40.21 > 194.186.135.40 type icmp
> 00 00 cb 1a 20 00 a6 1d 50 6c 65 61 73 65 20 68 .... ...Please h
> 65 6c 70 20 6d 65 2c 20 6d 61 74 72 69 78 20 63 elp me, matrix c
> 61 74 63 68 20 6d 65 20 00 atch me .
>
> This was followed by an attempt to browse my Samba server. Anyone else
> seen anything like this?
Nope, but it's probably an activation packet for a stealth virus
which doesn't advertise itself until it receives a custom ICMP payload
such as the above, at which point it starts accepting commands.
Probably Windows-based, given the port 139 service.
Regards,
Vin
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:18:55 GMT