Strato.net
DouglasDecember 3rd, 2003, 10:19 AMHi :),
For a few days I've been getting bombarded with incoming Echo Requests from strato.net. It's basically constant.
I looked at their web page, and can't figure out why they would be doing this. I've never been there before.
Can any one explain this to me?
Thanks,
DouglasLowWaterMarkDecember 3rd, 2003, 09:29 PMHi Douglas,
I know you've stated what appears to be a complete description of the occurrence, however it is always helpful to actually include several examples right from the full firewall log. Sometimes there is some small and subtle thing that the log will show that isn't readily apparant from a text description.DouglasDecember 4th, 2003, 06:22 PMHi LWM,
Thanks for responding.
The traffic has died down quite a bit, but it's still happening. The log is for about 10 minutes. This is now fairly normal.
BTW, I googled about echo requests, trying to learn, but I didn't do a very good job. All I really saw was a claim that worms on other people's computers can cause this. True?
Regards,
DouglasLowWaterMarkDecember 4th, 2003, 07:40 PMYes, that is most probably (+99% likely) Worm related activity. The worm Nachi (aka. Welchia, and other names) has been out a few months now. The way it usually works is after infecting a system, it pings other systems in the same network range looking for other systems to infect. It use an RPC DCOM exploit to get into systems that have that running, not patched to the specific vulnerability and which are unprotected by any firewall mechanism.
Notice that the source addresses are all (mostly) different. It isn't strato.net (as in the web server at that name) that is doing this, it is individual users at different IP addresses (probably customers of theirs if they are an ISP).
Here's some reading on the worm:
http://www.sophos.com/virusinfo/analyses/w32nachia.htmlDouglasDecember 4th, 2003, 10:09 PMMany thanks LWM. Much clearer now.
Best Regards,
Douglas
For a few days I've been getting bombarded with incoming Echo Requests from strato.net. It's basically constant.
I looked at their web page, and can't figure out why they would be doing this. I've never been there before.
Can any one explain this to me?
Thanks,
DouglasLowWaterMarkDecember 3rd, 2003, 09:29 PMHi Douglas,
I know you've stated what appears to be a complete description of the occurrence, however it is always helpful to actually include several examples right from the full firewall log. Sometimes there is some small and subtle thing that the log will show that isn't readily apparant from a text description.DouglasDecember 4th, 2003, 06:22 PMHi LWM,
Thanks for responding.
The traffic has died down quite a bit, but it's still happening. The log is for about 10 minutes. This is now fairly normal.
BTW, I googled about echo requests, trying to learn, but I didn't do a very good job. All I really saw was a claim that worms on other people's computers can cause this. True?
Regards,
DouglasLowWaterMarkDecember 4th, 2003, 07:40 PMYes, that is most probably (+99% likely) Worm related activity. The worm Nachi (aka. Welchia, and other names) has been out a few months now. The way it usually works is after infecting a system, it pings other systems in the same network range looking for other systems to infect. It use an RPC DCOM exploit to get into systems that have that running, not patched to the specific vulnerability and which are unprotected by any firewall mechanism.
Notice that the source addresses are all (mostly) different. It isn't strato.net (as in the web server at that name) that is doing this, it is individual users at different IP addresses (probably customers of theirs if they are an ISP).
Here's some reading on the worm:
http://www.sophos.com/virusinfo/analyses/w32nachia.htmlDouglasDecember 4th, 2003, 10:09 PMMany thanks LWM. Much clearer now.
Best Regards,
Douglas