Security Incidents mailing list archives
Possible Zombie/Bot?
From: "Tony Raboza" <tonyraboza () gmail com>
Date: Mon, 12 May 2008 21:08:22 +0800
Hi, I saw on our MRTG graph and monitoring tool that a PC on our LAN is sending out large ICMP traffic to a public IP address. Upon checking on our Internet gateway, I saw this: 09:23:23.062502 IP 172.16.210.210 > ns2.majordomo.ru: ICMP echo request, id 43013, seq 511, length 1480 09:23:23.062520 IP 172.16.210.210 > ns2.majordomo.ru: icmp 09:23:23.064457 IP 172.16.210.210 > 81.177.45.191: ICMP echo request, id 43013, seq 767, length 1480 09:23:23.064484 IP 172.16.210.210 > 81.177.45.191: icmp 09:23:23.073248 IP 172.16.210.210 > ns2.majordomo.ru: ICMP echo request, id 43013, seq 1023, length 1480 09:23:23.073275 IP 172.16.210.210 > ns2.majordomo.ru: icmp 09:23:23.075211 IP 172.16.210.210 > 81.177.45.191: ICMP echo request, id 43013, seq 1279, length 1480 09:23:23.075242 IP 172.16.210.210 > 81.177.45.191: icmp 09:23:23.083989 IP 172.16.210.210 > ns2.majordomo.ru: ICMP echo request, id 43013, seq 1535, length 1480 09:23:23.084017 IP 172.16.210.210 > ns2.majordomo.ru: icmp I also did a tcpdump -X and I got this: 09:26:59.840419 IP (tos 0x0, ttl 126, id 13198, offset 0, flags [+], proto: ICMP (1), length: 1500) 172.16.210.210
81.177.45.191: ICMP echo request, id 43013, seq 39068, length 1480
0x0000: 4500 05dc 338e 2000 7e01 e53f ac10 d2d2 E...3...~..?....
0x0010: 51b1 2dbf 0800 d5d5 a805 989c 4c37 4500 Q.-.........L7E.
0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0050: c8c8 ..
09:26:59.840449 IP (tos 0x0, ttl 125, id 13198, offset 1480, flags
[none], proto: ICMP (1), length: 552) 172.16.21
0.210 > 81.177.45.191: icmp
0x0000: 4500 0228 338e 00b9 7d01 093b ac10 d2d2 E..(3...}..;....
0x0010: 51b1 2dbf c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 Q.-.............
0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0050: c8c8 ..
09:26:59.841432 IP (tos 0x0, ttl 126, id 13199, offset 0, flags [+],
proto: ICMP (1), length: 1500) 172.16.210.210
78.108.89.252: ICMP echo request, id 43013, seq 39324, length 1480
0x0000: 4500 05dc 338f 2000 7e01 bc46 ac10 d2d2 E...3...~..F....
0x0010: 4e6c 59fc 0800 d4d5 a805 999c 4c37 4500 NlY.........L7E.
0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0050: c8c8 ..
09:26:59.841460 IP (tos 0x0, ttl 125, id 13199, offset 1480, flags
[none], proto: ICMP (1), length: 552) 172.16.21
0.210 > 78.108.89.252: icmp
0x0000: 4500 0228 338f 00b9 7d01 e041 ac10 d2d2 E..(3...}..A....
0x0010: 4e6c 59fc c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 NlY.............
0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0050: c8c8 ..
09:26:59.851421 IP (tos 0x0, ttl 126, id 13200, offset 0, flags [+],
proto: ICMP (1), length: 1500) 172.16.210.210
81.177.45.191: ICMP echo request, id 43013, seq 39580, length 1480
0x0000: 4500 05dc 3390 2000 7e01 e53d ac10 d2d2 E...3...~..=....
0x0010: 51b1 2dbf 0800 d3d5 a805 9a9c 4c37 4500 Q.-.........L7E.
0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0050: c8c8 ..
09:26:59.851446 IP (tos 0x0, ttl 125, id 13200, offset 1480, flags
[none], proto: ICMP (1), length: 552) 172.16.21
0.210 > 81.177.45.191: icmp
0x0000: 4500 0228 3390 00b9 7d01 0939 ac10 d2d2 E..(3...}..9....
0x0010: 51b1 2dbf c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 Q.-.............
0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0050: c8c8 ..
09:26:59.852135 IP (tos 0x0, ttl 126, id 13201, offset 0, flags [+],
proto: ICMP (1), length: 1500) 172.16.210.210
78.108.89.252: ICMP echo request, id 43013, seq 39836, length 1480
0x0000: 4500 05dc 3391 2000 7e01 bc44 ac10 d2d2 E...3...~..D....
0x0010: 4e6c 59fc 0800 0417 a805 9b9c 5c37 4500 NlY.........\7E.
0x0020: d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 ................
0x0030: d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 ................
0x0040: d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 ................
0x0050: d8d8 ..
Actually, this happened with this PC before - I had our helpdesk check
(its on a remote site) it for virus/worms but according to them
nothing turned up.
I turned on Snort on our Linux router (I don't leave snort on as this router
is quite underpowered already):
05/12-11:45:41.791708 [**] [123:8:1] <any> (spp_frag3) Fragmentation
overlap [**] [Priority: 3] {ICMP} 172.16.21
0.210 -> 78.108.89.252
05/12-11:45:41.791813 [**] [123:8:1] <any> (spp_frag3) Fragmentation
overlap [**] [Priority: 3] {ICMP} 172.16.21
0.210 -> 81.177.45.191
The PC is on a remote office of ours. I was able to investigate it partially -
established a Netmeeting session with it and checked using Netstat - but nothing
turned up. The anti-virus installed (McAfee) has the latest updates.
I'm thinking this might be a sign that this PC is part of a botnet?
How can I be certain? And what kind of botnet/worm exhibit the
behavior as above?
Thank you very much.
Sincerely,
Tony
Current thread:
- Possible Zombie/Bot? Tony Raboza (May 12)
- Re: Possible Zombie/Bot? john lokka (May 13)
- <Possible follow-ups>
- RE: Possible Zombie/Bot? admin (May 19)
- Re: Possible Zombie/Bot? xelerated (May 19)