Echo (Ping) Requests

C

cppgenius

Member
Joined
Feb 5, 2008
Messages
17
Reaction score
0
I've been using WireShark to monitor the source of strange activity on my Internet connection.

I'm constantly receiving Echo (Ping) Requests from vc-41-17-248-134.umts.vodacom.co.za to sequential IP addresses, in other words it will send a Echo Request to 192.168.49.56 a couple seconds later to 192.168.49.57 then to 192.168.49.57, at the time of writing this message it has already reached the IP address of 192.168.51.96.

Is it scanning our network for PC's connected to the network or what and why is it doing this? Is Wireshark perhaps causing these echo requests?

Any kind of help will be appreciated.
 
cppgenius said:
I've been using WireShark to monitor the source of strange activity on my Internet connection.

I'm constantly receiving Echo (Ping) Requests from vc-41-17-248-134.umts.vodacom.co.za to sequential IP addresses, in other words it will send a Echo Request to 192.168.49.56 a couple seconds later to 192.168.49.57 then to 192.168.49.57, at the time of writing this message it has already reached the IP address of 192.168.51.96.

Is it scanning our network for PC's connected to the network or what and why is it doing this? Is Wireshark perhaps causing these echo requests?

Any kind of help will be appreciated.
Click to expand...

Sounds like someone is scanning for open port to try and attack your (and others' ) PC's.

What is your IP and which APN are you using.

Make sure your firewall is active and lastly; What is 'strange activity' you're referring to?
 
So how exactly is a machine on the internet able to ping an RFC1918 address (presumably behind a firewall)?
 
Perhaps vodacom are routing those RC1918 addresses on their public network? (A big no-no)
 
thisgeek said:
Perhaps vodacom are routing those RC1918 addresses on their public network? (A big no-no)
Click to expand...

I seriously doubt that. Either the information supplied is incorrect or we don't have all the facts.
 
cppgenius said:
I'm constantly receiving Echo (Ping) Requests from vc-41-17-248-134.umts.vodacom.co.za to sequential IP addresses
Click to expand...
Are you sure that vc-41-17-248-134.umts.vodacom.co.za was not your PPP adapter, while you were on the Vodacom network?
 
Thanks for the replies.

What is 'strange activity' you're referring to?
Click to expand...

I guess I should rephrase that as unusual activity, the connection kept transmitting and receiving data on a constant basis. Yes I know, anti-virus apps check for updates now and then, Windows Update checks for updates, so does Java, etc. but it is unusual for constant data transmission if you are not actively downloading something and I am pretty sure it was not AVG, Java, Windows Update or any one of those usual apps accessing the Internet, it was something else.

Are you sure that vc-41-17-248-134.umts.vodacom.co.za was not your PPP adapter, while you were on the Vodacom network
Click to expand...

vc-41-17-248-134.umts.vodacom.co.za was indeed our PPP adapter. I traced the source of the traffic back to one of our local PC's. It was infected with the CSRCS.EXE virus. It is some kind of trojan/backdoor virus that connects to a remote IRC server waiting for further instructions. I guess it is part of a bot network used in DDoS attacks, spam distribution and stuff like that. I assume it was scanning our network for uninfected PC's in order to spread. I guess this so-called remote IRC server was sending the requests to the infected PC, that explains why it came through vc-41-17-248-134.umts.vodacom.co.za (or in other words our PPP adapter).

The server was also infected, but the malware was not transmitting anything. As soon as I disconnected the infected PC from the network, the constant traffic stopped. We also have a Laptop with Windows Vista connected to the network, but surprisingly it was not infected, I guess the increased security measures in Vista prevented it from spreading to the Laptop.

I would like to find out where this malware came from. Unfortunately Comodo was still in Training mode when the malware infiltrated the system, so that's why it did not block the threat, but I found traces of a file at f:\gwxvhw.exe in the firewall logs. F:\ is not one of our permanent drives and it is not a network drive either, so I expect it was an infected flash drive used on our server.
 
cppgenius said:
...I found traces of a file at f:\gwxvhw.exe in the firewall logs. F:\ is not one of our permanent drives and it is not a network drive either, so I expect it was an infected flash drive used on our server.
Click to expand...
Microsoft are now recommending we all disable Autorun/Autoplay to prevent these things from spreading, see here.
 
...you may experience any of the following symptoms:

...Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
Click to expand...

Apart from BITS, I guess one can say this worm does you a favor by disabling these annoying and useless services.

Thanks for the tip, although the infection on our system is not the Conficker worm, the tip about disabling the autoplay feature can come in handy. I'd rather endure the complaints from novice users: "HELP! My CD/Flashdrive no longer opens automatically", than removing these pests from a day to day basis. I guess that's the price they should pay for using infected media on a system. :D
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X