Security Incidents mailing list archives
Re: Possible Zombie/Bot?
From: "john lokka" <merigoth () gmail com>
Date: Mon, 12 May 2008 19:03:39 -0700
I saw you ran a tcpdump but how many packets did you capture? I'd recommend running a dedicated tcpdump against the box. Let the dump run for 1500 packets. If it fills-up in less than 2 minutes, you may want run another dump and ignore icmp traffic. The icmp traffic is a sign of infection especially at a high rate. However, the real traffic will be somewhere else and may take a while to find. If time is not available and you think there is an infection, I'd recommend writing a IDS/IPS rule to catch further infections and re-image the box. If you got time, you may want to bit image the drive and perform post incident investigaton. (you could use helix, a linux-distro for forensic analysis.) This also gets the infected box back online and some analysis to find the malware is still available. Malware can be repacked overnight and then AV won't catch it. On Mon, May 12, 2008 at 6:08 AM, Tony Raboza <tonyraboza () gmail com> wrote:
Hi,
I saw on our MRTG graph and monitoring tool that a PC on our LAN is
sending out large ICMP traffic to a public IP address. Upon checking
on our Internet gateway, I saw this:
09:23:23.062502 IP 172.16.210.210 > ns2.majordomo.ru: ICMP echo
request, id 43013, seq 511, length 1480
09:23:23.062520 IP 172.16.210.210 > ns2.majordomo.ru: icmp
09:23:23.064457 IP 172.16.210.210 > 81.177.45.191: ICMP echo request,
id 43013, seq 767, length 1480
09:23:23.064484 IP 172.16.210.210 > 81.177.45.191: icmp
09:23:23.073248 IP 172.16.210.210 > ns2.majordomo.ru: ICMP echo
request, id 43013, seq 1023, length 1480
09:23:23.073275 IP 172.16.210.210 > ns2.majordomo.ru: icmp
09:23:23.075211 IP 172.16.210.210 > 81.177.45.191: ICMP echo request,
id 43013, seq 1279, length 1480
09:23:23.075242 IP 172.16.210.210 > 81.177.45.191: icmp
09:23:23.083989 IP 172.16.210.210 > ns2.majordomo.ru: ICMP echo
request, id 43013, seq 1535, length 1480
09:23:23.084017 IP 172.16.210.210 > ns2.majordomo.ru: icmp
I also did a tcpdump -X and I got this:
09:26:59.840419 IP (tos 0x0, ttl 126, id 13198, offset 0, flags [+],
proto: ICMP (1), length: 1500) 172.16.210.210
> 81.177.45.191: ICMP echo request, id 43013, seq 39068, length 1480
0x0000: 4500 05dc 338e 2000 7e01 e53f ac10 d2d2 E...3...~..?....
0x0010: 51b1 2dbf 0800 d5d5 a805 989c 4c37 4500 Q.-.........L7E.
0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0050: c8c8 ..
09:26:59.840449 IP (tos 0x0, ttl 125, id 13198, offset 1480, flags
[none], proto: ICMP (1), length: 552) 172.16.21
0.210 > 81.177.45.191: icmp
0x0000: 4500 0228 338e 00b9 7d01 093b ac10 d2d2 E..(3...}..;....
0x0010: 51b1 2dbf c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 Q.-.............
0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0050: c8c8 ..
09:26:59.841432 IP (tos 0x0, ttl 126, id 13199, offset 0, flags [+],
proto: ICMP (1), length: 1500) 172.16.210.210
> 78.108.89.252: ICMP echo request, id 43013, seq 39324, length 1480
0x0000: 4500 05dc 338f 2000 7e01 bc46 ac10 d2d2 E...3...~..F....
0x0010: 4e6c 59fc 0800 d4d5 a805 999c 4c37 4500 NlY.........L7E.
0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0050: c8c8 ..
09:26:59.841460 IP (tos 0x0, ttl 125, id 13199, offset 1480, flags
[none], proto: ICMP (1), length: 552) 172.16.21
0.210 > 78.108.89.252: icmp
0x0000: 4500 0228 338f 00b9 7d01 e041 ac10 d2d2 E..(3...}..A....
0x0010: 4e6c 59fc c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 NlY.............
0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0050: c8c8 ..
09:26:59.851421 IP (tos 0x0, ttl 126, id 13200, offset 0, flags [+],
proto: ICMP (1), length: 1500) 172.16.210.210
> 81.177.45.191: ICMP echo request, id 43013, seq 39580, length 1480
0x0000: 4500 05dc 3390 2000 7e01 e53d ac10 d2d2 E...3...~..=....
0x0010: 51b1 2dbf 0800 d3d5 a805 9a9c 4c37 4500 Q.-.........L7E.
0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0050: c8c8 ..
09:26:59.851446 IP (tos 0x0, ttl 125, id 13200, offset 1480, flags
[none], proto: ICMP (1), length: 552) 172.16.21
0.210 > 81.177.45.191: icmp
0x0000: 4500 0228 3390 00b9 7d01 0939 ac10 d2d2 E..(3...}..9....
0x0010: 51b1 2dbf c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 Q.-.............
0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0050: c8c8 ..
09:26:59.852135 IP (tos 0x0, ttl 126, id 13201, offset 0, flags [+],
proto: ICMP (1), length: 1500) 172.16.210.210
> 78.108.89.252: ICMP echo request, id 43013, seq 39836, length 1480
0x0000: 4500 05dc 3391 2000 7e01 bc44 ac10 d2d2 E...3...~..D....
0x0010: 4e6c 59fc 0800 0417 a805 9b9c 5c37 4500 NlY.........\7E.
0x0020: d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 ................
0x0030: d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 ................
0x0040: d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 ................
0x0050: d8d8 ..
Actually, this happened with this PC before - I had our helpdesk check
(its on a remote site) it for virus/worms but according to them
nothing turned up.
I turned on Snort on our Linux router (I don't leave snort on as this router
is quite underpowered already):
05/12-11:45:41.791708 [**] [123:8:1] <any> (spp_frag3) Fragmentation
overlap [**] [Priority: 3] {ICMP} 172.16.21
0.210 -> 78.108.89.252
05/12-11:45:41.791813 [**] [123:8:1] <any> (spp_frag3) Fragmentation
overlap [**] [Priority: 3] {ICMP} 172.16.21
0.210 -> 81.177.45.191
The PC is on a remote office of ours. I was able to investigate it partially -
established a Netmeeting session with it and checked using Netstat - but nothing
turned up. The anti-virus installed (McAfee) has the latest updates.
I'm thinking this might be a sign that this PC is part of a botnet?
How can I be certain? And what kind of botnet/worm exhibit the
behavior as above?
Thank you very much.
Sincerely,
Tony
Current thread:
- Possible Zombie/Bot? Tony Raboza (May 12)
- Re: Possible Zombie/Bot? john lokka (May 13)
- <Possible follow-ups>
- RE: Possible Zombie/Bot? admin (May 19)
- Re: Possible Zombie/Bot? xelerated (May 19)