Strato.net

Discussion in 'other firewalls' started by Douglas, Dec 3, 2003.

Thread Status:
Not open for further replies.
  1. Douglas

    Douglas Guest

    Hi :),
    For a few days I've been getting bombarded with incoming Echo Requests from strato.net. It's basically constant.
    I looked at their web page, and can't figure out why they would be doing this. I've never been there before.
    Can any one explain this to me?

    Thanks,
    Douglas
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Hi Douglas,

    I know you've stated what appears to be a complete description of the occurrence, however it is always helpful to actually include several examples right from the full firewall log. Sometimes there is some small and subtle thing that the log will show that isn't readily apparant from a text description.
     
  3. Douglas

    Douglas Guest

    Hi LWM,
    Thanks for responding.
    The traffic has died down quite a bit, but it's still happening. The log is for about 10 minutes. This is now fairly normal.
    BTW, I googled about echo requests, trying to learn, but I didn't do a very good job. All I really saw was a claim that worms on other people's computers can cause this. True?

    Regards,
    Douglas
     

    Attached Files:

  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Yes, that is most probably (+99% likely) Worm related activity. The worm Nachi (aka. Welchia, and other names) has been out a few months now. The way it usually works is after infecting a system, it pings other systems in the same network range looking for other systems to infect. It use an RPC DCOM exploit to get into systems that have that running, not patched to the specific vulnerability and which are unprotected by any firewall mechanism.

    Notice that the source addresses are all (mostly) different. It isn't strato.net (as in the web server at that name) that is doing this, it is individual users at different IP addresses (probably customers of theirs if they are an ISP).

    Here's some reading on the worm:

    http://www.sophos.com/virusinfo/analyses/w32nachia.html
     
  5. Douglas

    Douglas Guest

    Many thanks LWM. Much clearer now.
    Best Regards,
    Douglas
     
Thread Status:
Not open for further replies.