https://community.hpe.com/t5/security-e-series/an-unsolicited-icmp-reply/m-p/6365531#M242 <P>Why would some important computers on my network start sending ICMP replies an external IP address when there was never an ICMP Ping Request (echo)? Seeing 0 hits via any search mechanism for this specific scenario, thought we'd share our findings.</P><P>&nbsp;</P><P>We searched in vain for something which would incite a reply where there was no echo. We knew when it started, we knew where it was trying to go, but finding out why was problematic. Network Monitor confirmed the packets were sourcing from the victims but will not reveal the process generating the traffic. Process Monitor is conspicuously silent during the time in question. Changes made to the file system around zulu were clean. A memory dump wasn't of assistance. Hashes of binaries were legitimate. Prefetch was benign. The interval of the echo reply was consistent. There are no matches for a multitude of string/word variants for obfuscating the target IP.</P><P>&nbsp;</P><P>Rewording our searches&nbsp;reveals the article /t5/Systems-Management-OpenView-OP/ICMP-heartbeat/ where Drew Dimmick (THANK YOU) writes "OVO ... does implement an additional status monitoring capability based on a "heard from" (not polling) heartbeat monitor - the agents send icmp replies to the manager *unasked for* - the management server monitors if its heard from the node in the last x time and will interrogate the node with a direct ping &amp; rpc call if it isn't heard from - this reduces the overhead of the status monitoring, as OVO will only actively poll nodes when they have not been heard from. Both OVOW and OVOU implement heartbeat polling with this approach (icmp reply) as its extremely network efficient and very low overhead on the receiving systems (tcp requests are many times more expensive)"</P><P>&nbsp;</P><P>This helped us focus on the most recent install performed by another team of OVO. The suspicious activity and change were close enough. Performed a "net stop opcmsga" &amp; the beacon ceases. After enabling logging we find in \Program Files\HP OpenView\data\log\trace_hang\ agentrc_xxxx.trc the smoking gun. "I_am_alive-pkg" logging "Sending ICMP reply" to prim.mgr , albeit WITH THE IP INVERSED. Address: 1.2.3.4 becomes Address: 4.3.2.1</P><P>&nbsp;</P><P>So are we really the first people to have discovered that this mechanism is totally disfunctional?</P><P>Hope this is helpful for someone out there in Networking / Security.</P> Thu, 13 Feb 2014 14:27:20 GMT 31douglas 2014-02-13T14:27:20Z https://community.hpe.com/t5/security-e-series/an-unsolicited-icmp-reply/m-p/6365531#M242 <P>Why would some important computers on my network start sending ICMP replies an external IP address when there was never an ICMP Ping Request (echo)? Seeing 0 hits via any search mechanism for this specific scenario, thought we'd share our findings.</P><P>&nbsp;</P><P>We searched in vain for something which would incite a reply where there was no echo. We knew when it started, we knew where it was trying to go, but finding out why was problematic. Network Monitor confirmed the packets were sourcing from the victims but will not reveal the process generating the traffic. Process Monitor is conspicuously silent during the time in question. Changes made to the file system around zulu were clean. A memory dump wasn't of assistance. Hashes of binaries were legitimate. Prefetch was benign. The interval of the echo reply was consistent. There are no matches for a multitude of string/word variants for obfuscating the target IP.</P><P>&nbsp;</P><P>Rewording our searches&nbsp;reveals the article /t5/Systems-Management-OpenView-OP/ICMP-heartbeat/ where Drew Dimmick (THANK YOU) writes "OVO ... does implement an additional status monitoring capability based on a "heard from" (not polling) heartbeat monitor - the agents send icmp replies to the manager *unasked for* - the management server monitors if its heard from the node in the last x time and will interrogate the node with a direct ping &amp; rpc call if it isn't heard from - this reduces the overhead of the status monitoring, as OVO will only actively poll nodes when they have not been heard from. Both OVOW and OVOU implement heartbeat polling with this approach (icmp reply) as its extremely network efficient and very low overhead on the receiving systems (tcp requests are many times more expensive)"</P><P>&nbsp;</P><P>This helped us focus on the most recent install performed by another team of OVO. The suspicious activity and change were close enough. Performed a "net stop opcmsga" &amp; the beacon ceases. After enabling logging we find in \Program Files\HP OpenView\data\log\trace_hang\ agentrc_xxxx.trc the smoking gun. "I_am_alive-pkg" logging "Sending ICMP reply" to prim.mgr , albeit WITH THE IP INVERSED. Address: 1.2.3.4 becomes Address: 4.3.2.1</P><P>&nbsp;</P><P>So are we really the first people to have discovered that this mechanism is totally disfunctional?</P><P>Hope this is helpful for someone out there in Networking / Security.</P> Thu, 13 Feb 2014 14:27:20 GMT https://community.hpe.com/t5/security-e-series/an-unsolicited-icmp-reply/m-p/6365531#M242 31douglas 2014-02-13T14:27:20Z https://community.hpe.com/t5/security-e-series/an-unsolicited-icmp-reply/m-p/6369073#M246 <P>It would be helpful to include the full URL to that post:</P><P><A target="_blank" href="https://community.hpe.com/t5/Systems-Management-OpenView-OP/ICMP-heartbeat/m-p/3626930#M56990">http://h30499.www3.hp.com/t5/Systems-Management-OpenView-OP/ICMP-heartbeat/m-p/3626930#M56990</A></P><P>&nbsp;</P><P>You might want to give Drew a Kudos.&nbsp; :-)</P> Sun, 09 Feb 2014 00:59:38 GMT https://community.hpe.com/t5/security-e-series/an-unsolicited-icmp-reply/m-p/6369073#M246 Dennis Handly 2014-02-09T00:59:38Z https://community.hpe.com/t5/security-e-series/an-unsolicited-icmp-reply/m-p/6581022#M260 Agent version 11.13 with patch HFWIN_13044 resolves this issue. Thu, 21 Aug 2014 06:47:19 GMT https://community.hpe.com/t5/security-e-series/an-unsolicited-icmp-reply/m-p/6581022#M260 31douglas 2014-08-21T06:47:19Z