HP3000-L Archives

December 2003, Week 4

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: 92 Byte Packets
From:
Jeff Kell <[log in to unmask]>
Reply To:
Jeff Kell <[log in to unmask]>
Date:
Fri, 26 Dec 2003 13:27:15 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (19 lines) 
Johnson, Tracy wrote:
> Anyone ever got called from your ISP on the idea that your HP3000 is
> sending out 92 byte packets and this is indicative of virus-like
> behavior?
>
> I think only that a worm is pinging some of our systems. and the 92
> bytes is only a "can't-do" response to a Nachi virus attack.

I haven't packet-sniffed ICMP from the 3000 to determine a signature,
but as far as the 3000 having a Nachi attack, nope.

The Nachi ping is 106 bytes on the wire, 92 bytes of IP payload, and 64
bytes of ICMP data payload consisting of all 0xAA's.

Jeff

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2