Security Basics mailing list archives
RE: Possible Bot?
From: "Murda Mcloud" <murdamcloud () bigpond com>
Date: Tue, 13 May 2008 11:36:37 +1000
How much is 'large' ICMP traffic? I've seen machines that had 'illegitimate' software loaded by users that were really noisy. Especially when it had a Quake server on it.... Get some packet captures and try and work out what else is going out. Where does the public IP 4.5.6.7 lead you?
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Tony Raboza Sent: Saturday, May 10, 2008 4:57 PM To: security-basics () securityfocus com Subject: Possible Bot? Hi, I saw on our MRTG graph and monitoring tool that a PC on our LAN is sending out large ICMP traffic to a public IP address. Upon checking on our Internet gateway, I saw this (output of tcpdump - I purposedly changed the IP addresses): 18:00:02.788023 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo request, id 4, seq 59931, length 1480 18:00:02.788030 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp 18:00:02.798828 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo request, id 4, seq 60187, length 1480 18:00:02.798841 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp 18:00:02.809534 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo request, id 4, seq 60443, length 1480 18:00:02.809546 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp 18:00:02.820274 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo request, id 4, seq 60699, length 1480 18:00:02.820286 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp 18:00:02.831246 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo request, id 4, seq 60955, length 1480 Actually, this happened with this PC before - I had our helpdesk check (its on a remote site) it for virus/worms but according to them nothing turned up. I'm thinking this might be a sign that this PC is part of a botnet? How can I be certain? And what kind of botnet/worm exhibit the behavior as above? Thank you very much. Sincerely, Tony
Current thread:
- Possible Bot? Tony Raboza (May 12)
- Re: Possible Bot? Adriel Desautels (May 12)
- Re: Possible Bot? Orlin Gueorguiev (May 13)
- RE: Possible Bot? Murda Mcloud (May 13)
- Re: Possible Bot? Nicolas Lin Wee Kuan (May 14)
- Re: Possible Bot? Adriel Desautels (May 12)