Incidents
Possible Zombie/Bot? May 12 2008 01:08PM
Tony Raboza (tonyraboza gmail com) (1 replies)
Hi,

I saw on our MRTG graph and monitoring tool that a PC on our LAN is
sending out large ICMP traffic to a public IP address. Upon checking
on our Internet gateway, I saw this:

09:23:23.062502 IP 172.16.210.210 > ns2.majordomo.ru: ICMP echo
request, id 43013, seq 511, length 1480
09:23:23.062520 IP 172.16.210.210 > ns2.majordomo.ru: icmp
09:23:23.064457 IP 172.16.210.210 > 81.177.45.191: ICMP echo request,
id 43013, seq 767, length 1480
09:23:23.064484 IP 172.16.210.210 > 81.177.45.191: icmp
09:23:23.073248 IP 172.16.210.210 > ns2.majordomo.ru: ICMP echo
request, id 43013, seq 1023, length 1480
09:23:23.073275 IP 172.16.210.210 > ns2.majordomo.ru: icmp
09:23:23.075211 IP 172.16.210.210 > 81.177.45.191: ICMP echo request,
id 43013, seq 1279, length 1480
09:23:23.075242 IP 172.16.210.210 > 81.177.45.191: icmp
09:23:23.083989 IP 172.16.210.210 > ns2.majordomo.ru: ICMP echo
request, id 43013, seq 1535, length 1480
09:23:23.084017 IP 172.16.210.210 > ns2.majordomo.ru: icmp

I also did a tcpdump -X and I got this:

09:26:59.840419 IP (tos 0x0, ttl 126, id 13198, offset 0, flags [+],
proto: ICMP (1), length: 1500) 172.16.210.210
> 81.177.45.191: ICMP echo request, id 43013, seq 39068, length 1480
0x0000: 4500 05dc 338e 2000 7e01 e53f ac10 d2d2 E...3...~..?....
0x0010: 51b1 2dbf 0800 d5d5 a805 989c 4c37 4500 Q.-.........L7E.
0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0050: c8c8 ..
09:26:59.840449 IP (tos 0x0, ttl 125, id 13198, offset 1480, flags
[none], proto: ICMP (1), length: 552) 172.16.21
0.210 > 81.177.45.191: icmp
0x0000: 4500 0228 338e 00b9 7d01 093b ac10 d2d2 E..(3...}..;....
0x0010: 51b1 2dbf c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 Q.-.............
0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0050: c8c8 ..
09:26:59.841432 IP (tos 0x0, ttl 126, id 13199, offset 0, flags [+],
proto: ICMP (1), length: 1500) 172.16.210.210
> 78.108.89.252: ICMP echo request, id 43013, seq 39324, length 1480
0x0000: 4500 05dc 338f 2000 7e01 bc46 ac10 d2d2 E...3...~..F....
0x0010: 4e6c 59fc 0800 d4d5 a805 999c 4c37 4500 NlY.........L7E.
0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0050: c8c8 ..
09:26:59.841460 IP (tos 0x0, ttl 125, id 13199, offset 1480, flags
[none], proto: ICMP (1), length: 552) 172.16.21
0.210 > 78.108.89.252: icmp
0x0000: 4500 0228 338f 00b9 7d01 e041 ac10 d2d2 E..(3...}..A....
0x0010: 4e6c 59fc c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 NlY.............
0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0050: c8c8 ..
09:26:59.851421 IP (tos 0x0, ttl 126, id 13200, offset 0, flags [+],
proto: ICMP (1), length: 1500) 172.16.210.210
> 81.177.45.191: ICMP echo request, id 43013, seq 39580, length 1480
0x0000: 4500 05dc 3390 2000 7e01 e53d ac10 d2d2 E...3...~..=....
0x0010: 51b1 2dbf 0800 d3d5 a805 9a9c 4c37 4500 Q.-.........L7E.
0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0050: c8c8 ..
09:26:59.851446 IP (tos 0x0, ttl 125, id 13200, offset 1480, flags
[none], proto: ICMP (1), length: 552) 172.16.21
0.210 > 81.177.45.191: icmp
0x0000: 4500 0228 3390 00b9 7d01 0939 ac10 d2d2 E..(3...}..9....
0x0010: 51b1 2dbf c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 Q.-.............
0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
0x0050: c8c8 ..
09:26:59.852135 IP (tos 0x0, ttl 126, id 13201, offset 0, flags [+],
proto: ICMP (1), length: 1500) 172.16.210.210
> 78.108.89.252: ICMP echo request, id 43013, seq 39836, length 1480
0x0000: 4500 05dc 3391 2000 7e01 bc44 ac10 d2d2 E...3...~..D....
0x0010: 4e6c 59fc 0800 0417 a805 9b9c 5c37 4500 NlY.........\7E.
0x0020: d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 ................
0x0030: d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 ................
0x0040: d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 ................
0x0050: d8d8 ..

Actually, this happened with this PC before - I had our helpdesk check
(its on a remote site) it for virus/worms but according to them
nothing turned up.

I turned on Snort on our Linux router (I don't leave snort on as this router
is quite underpowered already):

05/12-11:45:41.791708 [**] [123:8:1] <any> (spp_frag3) Fragmentation
overlap [**] [Priority: 3] {ICMP} 172.16.21
0.210 -> 78.108.89.252
05/12-11:45:41.791813 [**] [123:8:1] <any> (spp_frag3) Fragmentation
overlap [**] [Priority: 3] {ICMP} 172.16.21
0.210 -> 81.177.45.191

The PC is on a remote office of ours. I was able to investigate it partially -
established a Netmeeting session with it and checked using Netstat - but nothing
turned up. The anti-virus installed (McAfee) has the latest updates.

I'm thinking this might be a sign that this PC is part of a botnet?
How can I be certain? And what kind of botnet/worm exhibit the
behavior as above?

Thank you very much.

Sincerely,
Tony

[ reply ]
Re: Possible Zombie/Bot? May 13 2008 02:03AM
john lokka (merigoth gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus