Incidents
Possible Zombie/Bot? May 12 2008 01:08PM
Tony Raboza (tonyraboza gmail com) (1 replies)
Re: Possible Zombie/Bot? May 13 2008 02:03AM
john lokka (merigoth gmail com)
I saw you ran a tcpdump but how many packets did you capture? I'd
recommend running a dedicated tcpdump against the box. Let the dump
run for 1500 packets. If it fills-up in less than 2 minutes, you may
want run another dump and ignore icmp traffic. The icmp traffic is a
sign of infection especially at a high rate. However, the real traffic
will be somewhere else and may take a while to find. If time is not
available and you think there is an infection, I'd recommend writing a
IDS/IPS rule to catch further infections and re-image the box.

If you got time, you may want to bit image the drive and perform post
incident investigaton. (you could use helix, a linux-distro for
forensic analysis.) This also gets the infected box back online and
some analysis to find the malware is still available.

Malware can be repacked overnight and then AV won't catch it.

On Mon, May 12, 2008 at 6:08 AM, Tony Raboza <tonyraboza (at) gmail (dot) com [email concealed]> wrote:
> Hi,
>
> I saw on our MRTG graph and monitoring tool that a PC on our LAN is
> sending out large ICMP traffic to a public IP address. Upon checking
> on our Internet gateway, I saw this:
>
> 09:23:23.062502 IP 172.16.210.210 > ns2.majordomo.ru: ICMP echo
> request, id 43013, seq 511, length 1480
> 09:23:23.062520 IP 172.16.210.210 > ns2.majordomo.ru: icmp
> 09:23:23.064457 IP 172.16.210.210 > 81.177.45.191: ICMP echo request,
> id 43013, seq 767, length 1480
> 09:23:23.064484 IP 172.16.210.210 > 81.177.45.191: icmp
> 09:23:23.073248 IP 172.16.210.210 > ns2.majordomo.ru: ICMP echo
> request, id 43013, seq 1023, length 1480
> 09:23:23.073275 IP 172.16.210.210 > ns2.majordomo.ru: icmp
> 09:23:23.075211 IP 172.16.210.210 > 81.177.45.191: ICMP echo request,
> id 43013, seq 1279, length 1480
> 09:23:23.075242 IP 172.16.210.210 > 81.177.45.191: icmp
> 09:23:23.083989 IP 172.16.210.210 > ns2.majordomo.ru: ICMP echo
> request, id 43013, seq 1535, length 1480
> 09:23:23.084017 IP 172.16.210.210 > ns2.majordomo.ru: icmp
>
>
> I also did a tcpdump -X and I got this:
>
>
> 09:26:59.840419 IP (tos 0x0, ttl 126, id 13198, offset 0, flags [+],
> proto: ICMP (1), length: 1500) 172.16.210.210
> > 81.177.45.191: ICMP echo request, id 43013, seq 39068, length 1480
> 0x0000: 4500 05dc 338e 2000 7e01 e53f ac10 d2d2 E...3...~..?....
> 0x0010: 51b1 2dbf 0800 d5d5 a805 989c 4c37 4500 Q.-.........L7E.
> 0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
> 0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
> 0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
> 0x0050: c8c8 ..
> 09:26:59.840449 IP (tos 0x0, ttl 125, id 13198, offset 1480, flags
> [none], proto: ICMP (1), length: 552) 172.16.21
> 0.210 > 81.177.45.191: icmp
> 0x0000: 4500 0228 338e 00b9 7d01 093b ac10 d2d2 E..(3...}..;....
> 0x0010: 51b1 2dbf c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 Q.-.............
> 0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
> 0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
> 0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
> 0x0050: c8c8 ..
> 09:26:59.841432 IP (tos 0x0, ttl 126, id 13199, offset 0, flags [+],
> proto: ICMP (1), length: 1500) 172.16.210.210
> > 78.108.89.252: ICMP echo request, id 43013, seq 39324, length 1480
> 0x0000: 4500 05dc 338f 2000 7e01 bc46 ac10 d2d2 E...3...~..F....
> 0x0010: 4e6c 59fc 0800 d4d5 a805 999c 4c37 4500 NlY.........L7E.
> 0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
> 0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
> 0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
> 0x0050: c8c8 ..
> 09:26:59.841460 IP (tos 0x0, ttl 125, id 13199, offset 1480, flags
> [none], proto: ICMP (1), length: 552) 172.16.21
> 0.210 > 78.108.89.252: icmp
> 0x0000: 4500 0228 338f 00b9 7d01 e041 ac10 d2d2 E..(3...}..A....
> 0x0010: 4e6c 59fc c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 NlY.............
> 0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
> 0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
> 0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
> 0x0050: c8c8 ..
> 09:26:59.851421 IP (tos 0x0, ttl 126, id 13200, offset 0, flags [+],
> proto: ICMP (1), length: 1500) 172.16.210.210
> > 81.177.45.191: ICMP echo request, id 43013, seq 39580, length 1480
> 0x0000: 4500 05dc 3390 2000 7e01 e53d ac10 d2d2 E...3...~..=....
> 0x0010: 51b1 2dbf 0800 d3d5 a805 9a9c 4c37 4500 Q.-.........L7E.
> 0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
> 0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
> 0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
> 0x0050: c8c8 ..
> 09:26:59.851446 IP (tos 0x0, ttl 125, id 13200, offset 1480, flags
> [none], proto: ICMP (1), length: 552) 172.16.21
> 0.210 > 81.177.45.191: icmp
> 0x0000: 4500 0228 3390 00b9 7d01 0939 ac10 d2d2 E..(3...}..9....
> 0x0010: 51b1 2dbf c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 Q.-.............
> 0x0020: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
> 0x0030: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
> 0x0040: c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 ................
> 0x0050: c8c8 ..
> 09:26:59.852135 IP (tos 0x0, ttl 126, id 13201, offset 0, flags [+],
> proto: ICMP (1), length: 1500) 172.16.210.210
> > 78.108.89.252: ICMP echo request, id 43013, seq 39836, length 1480
> 0x0000: 4500 05dc 3391 2000 7e01 bc44 ac10 d2d2 E...3...~..D....
> 0x0010: 4e6c 59fc 0800 0417 a805 9b9c 5c37 4500 NlY.........\7E.
> 0x0020: d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 ................
> 0x0030: d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 ................
> 0x0040: d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 ................
> 0x0050: d8d8 ..
>
>
> Actually, this happened with this PC before - I had our helpdesk check
> (its on a remote site) it for virus/worms but according to them
> nothing turned up.
>
> I turned on Snort on our Linux router (I don't leave snort on as this router
> is quite underpowered already):
>
> 05/12-11:45:41.791708 [**] [123:8:1] <any> (spp_frag3) Fragmentation
> overlap [**] [Priority: 3] {ICMP} 172.16.21
> 0.210 -> 78.108.89.252
> 05/12-11:45:41.791813 [**] [123:8:1] <any> (spp_frag3) Fragmentation
> overlap [**] [Priority: 3] {ICMP} 172.16.21
> 0.210 -> 81.177.45.191
>
>
> The PC is on a remote office of ours. I was able to investigate it partially -
> established a Netmeeting session with it and checked using Netstat - but nothing
> turned up. The anti-virus installed (McAfee) has the latest updates.
>
> I'm thinking this might be a sign that this PC is part of a botnet?
> How can I be certain? And what kind of botnet/worm exhibit the
> behavior as above?
>
> Thank you very much.
>
>
>
> Sincerely,
> Tony
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus