ICMP Attack?

Discussion in 'ESET Smart Security v4 Beta Forum' started by YaddaMinski, Dec 7, 2008.

Thread Status:
Not open for further replies.
  1. YaddaMinski

    YaddaMinski Registered Member

    Joined:
    Dec 6, 2008
    Posts:
    28
    See:
    12/6/2008 2:09:03 PM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.0.20 ICMP
    12/6/2008 2:08:58 PM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.0.20 ICMP
    12/6/2008 2:08:52 PM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.0.20 ICMP
    12/6/2008 2:08:47 PM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 2:08:41 PM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 2:08:36 PM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 1:51:12 PM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.12.3 ICMP
    12/6/2008 1:51:07 PM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.12.3 ICMP
    12/6/2008 1:51:01 PM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.12.3 ICMP
    12/6/2008 1:50:56 PM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.4.1 ICMP
    12/6/2008 1:50:50 PM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.4.1 ICMP
    12/6/2008 1:50:45 PM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.4.1 ICMP
    12/6/2008 12:38:30 PM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.4.1 ICMP
    12/6/2008 12:38:25 PM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.4.1 ICMP
    12/6/2008 12:38:19 PM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.4.1 ICMP
    12/6/2008 12:38:10 PM Detected DNS cache poisoning attack 192.168.0.20:53 192.168.3.28:4976 UDP
    12/6/2008 12:37:56 PM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.12.3 ICMP
    12/6/2008 12:37:49 PM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.12.3 ICMP
    12/6/2008 11:54:39 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.12.3 ICMP
    12/6/2008 11:54:33 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.12.3 ICMP
    12/6/2008 11:54:28 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.12.3 ICMP
    12/6/2008 11:54:22 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.16.3 ICMP
    12/6/2008 11:54:17 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.16.3 ICMP
    12/6/2008 11:54:11 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.16.3 ICMP
    12/6/2008 10:52:37 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.12.3 ICMP
    12/6/2008 10:52:31 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.12.3 ICMP
    12/6/2008 10:52:26 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.12.3 ICMP
    12/6/2008 10:52:20 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.16.3 ICMP
    12/6/2008 10:52:15 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.16.3 ICMP
    12/6/2008 10:52:10 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.16.3 ICMP
    12/6/2008 10:11:06 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.16.3 ICMP
    12/6/2008 10:11:01 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.16.3 ICMP
    12/6/2008 10:10:55 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.16.3 ICMP
    12/6/2008 10:10:50 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.4.1 ICMP
    12/6/2008 10:10:44 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.4.1 ICMP
    12/6/2008 10:10:39 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.4.1 ICMP
    12/6/2008 9:01:04 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 9:00:59 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 9:00:53 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 9:00:48 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.16.3 ICMP



    12/6/2008 9:00:42 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.16.3 ICMP
    12/6/2008 9:00:37 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.16.3 ICMP
    12/6/2008 8:11:33 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.16.3 ICMP
    12/6/2008 8:11:27 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.16.3 ICMP
    12/6/2008 8:11:22 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.16.3 ICMP
    12/6/2008 8:11:16 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.12.3 ICMP
    12/6/2008 8:11:11 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.12.3 ICMP
    12/6/2008 8:11:05 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.12.3 ICMP
    12/6/2008 7:04:31 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.12.3 ICMP
    12/6/2008 7:04:25 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.12.3 ICMP
    12/6/2008 7:04:20 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.12.3 ICMP
    12/6/2008 7:04:14 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.0.20 ICMP
    12/6/2008 7:04:09 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.0.20 ICMP
    12/6/2008 7:04:03 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.0.20 ICMP
    12/6/2008 6:24:59 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.0.20 ICMP
    12/6/2008 6:24:54 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.0.20 ICMP
    12/6/2008 6:24:48 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.0.20 ICMP
    12/6/2008 6:24:43 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.4.1 ICMP
    12/6/2008 6:24:37 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.4.1 ICMP
    12/6/2008 6:24:32 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.4.1 ICMP
    12/6/2008 5:09:58 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 5:09:53 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 5:09:47 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 5:09:42 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.16.3 ICMP
    12/6/2008 5:09:36 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.16.3 ICMP
    12/6/2008 5:09:31 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.16.3 ICMP
    12/6/2008 4:52:26 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.16.3 ICMP
    12/6/2008 4:52:21 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.16.3 ICMP
    12/6/2008 4:52:16 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.16.3 ICMP
    12/6/2008 4:52:10 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.0.20 ICMP
    12/6/2008 4:52:04 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.0.20 ICMP
    12/6/2008 4:51:59 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.0.20 ICMP
    12/6/2008 3:14:25 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.12.3 ICMP
    12/6/2008 3:14:19 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.12.3 ICMP
    12/6/2008 3:14:14 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.12.3 ICMP
    12/6/2008 3:14:08 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 3:14:03 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 3:13:57 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 3:10:53 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 3:10:48 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 3:10:42 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 3:10:37 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 3:10:31 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 3:10:26 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 1:33:48 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 1:33:43 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 1:33:37 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 1:33:32 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 1:33:26 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 1:33:21 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 1:25:20 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 1:25:15 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 1:25:05 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.8.25 ICMP
    12/6/2008 1:24:56 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.12.3 ICMP
    12/6/2008 1:24:48 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.12.3 ICMP
    12/6/2008 1:24:41 AM Detected covert channel exploit in ICMP packet 192.168.3.28 192.168.12.3 ICMP


    192.168.3.28 is probably the Cisco VPN server host (my company just implemented with Qwest). My IP is 192.168.3.29. The 3rd octet specifies my company's subnets by location. 192.168.0.20 is the DNS server. All routers are Cisco (but I don't know the model numbers). Is this misconfigured routers that need to be tweaked?
     
  2. s4u

    s4u Registered Member

    Joined:
    Oct 24, 2007
    Posts:
    441
    Sure looks like it. You might want to try it
     
  3. YaddaMinski

    YaddaMinski Registered Member

    Joined:
    Dec 6, 2008
    Posts:
    28
    If it is mis-configured routers, what is the layman's explanation? Thx.
     
  4. qzex

    qzex Registered Member

    Joined:
    Nov 30, 2008
    Posts:
    42
    If there aren't any connection issues or performance decreases, you probably don't have to worry about weird log events. It may just be normal network traffic.
     
  5. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,031
    Location:
    California
    Hello,

    Can you please send a packet capture from the workstation running ESET Smart Security v4 beta to betasupport@eset.sk with the URL to this message thread? Thank you.

    Regards,

    Aryeh Goretsky
     
  6. YaddaMinski

    YaddaMinski Registered Member

    Joined:
    Dec 6, 2008
    Posts:
    28
    Hi Aryeh,

    Is the packet capture tool in ESET? If not, I would use Wireshark to capture everything for my LAN IP and VPN IP... -- Alex
     
  7. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,031
    Location:
    California
    Hello,

    A Wireshark or Microsoft Network Monitor packet capture is fine.

    Regards,

    Aryeh Goretsky
     
  8. YaddaMinski

    YaddaMinski Registered Member

    Joined:
    Dec 6, 2008
    Posts:
    28
    The last 3 times I have used the Cisco VPN to my office I have seen no more ICMP Exploit messages so maybe it was due to ongoing configuration by our network provider. Thanks for the help and I will post if it happens again. ESET is a great product. Keep up the good work.
     
Thread Status:
Not open for further replies.