Security Basics mailing list archives
Re: Possible Bot?
From: Adriel Desautels <adriel () netragard com>
Date: Mon, 12 May 2008 17:05:15 -0400
Hi Tony,I'd suggest setting up a sniffer and capturing some of the packets in question. If you do, feel free to email me a small dump and I'll give it a quick look for you. I'd also suggest setting up snort to see if it catches anything (granted these days IDS evasion is common).
Regards,
Adriel T. Desautels
Chief Technology Officer
Netragard, LLC.
Office : 617-934-0269
Mobile : 617-633-3821
http://www.linkedin.com/pub/1/118/a45
Join the Netragard, LLC. Linked In Group:
http://www.linkedin.com/e/gis/48683/0B98E1705142
---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com - "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security
Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know : http://tinyurl.com/26pjsn
Tony Raboza wrote:
Hi, I saw on our MRTG graph and monitoring tool that a PC on our LAN is sending out large ICMP traffic to a public IP address. Upon checking on our Internet gateway, I saw this (output of tcpdump - I purposedly changed the IP addresses): 18:00:02.788023 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo request, id 4, seq 59931, length 1480 18:00:02.788030 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp 18:00:02.798828 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo request, id 4, seq 60187, length 1480 18:00:02.798841 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp 18:00:02.809534 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo request, id 4, seq 60443, length 1480 18:00:02.809546 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp 18:00:02.820274 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo request, id 4, seq 60699, length 1480 18:00:02.820286 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp 18:00:02.831246 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo request, id 4, seq 60955, length 1480 Actually, this happened with this PC before - I had our helpdesk check (its on a remote site) it for virus/worms but according to them nothing turned up. I'm thinking this might be a sign that this PC is part of a botnet? How can I be certain? And what kind of botnet/worm exhibit the behavior as above? Thank you very much. Sincerely, Tony
Current thread:
- Possible Bot? Tony Raboza (May 12)
- Re: Possible Bot? Adriel Desautels (May 12)
- Re: Possible Bot? Orlin Gueorguiev (May 13)
- RE: Possible Bot? Murda Mcloud (May 13)
- Re: Possible Bot? Nicolas Lin Wee Kuan (May 14)
- Re: Possible Bot? Adriel Desautels (May 12)