Re: Possible Bot?

[Orlin Gueorguiev <orlin () baturov com>]

Hi,
From the second post I see that the targeted system is ns2.majordomo.ru. It 
seems that this is a Russian nameserver. It appears that the server is ok.
Still you might want to check the computer  and see which program is trying to 
ping that server.

Greetings,
Orlin

> Tony Raboza wrote:
> > Hi,
> >
> > I saw on our MRTG graph and monitoring tool that a PC on our LAN is
> > sending out large ICMP traffic to a public IP address.  Upon checking
> > on our Internet gateway, I saw this (output of tcpdump - I purposedly
> > changed the IP addresses):
> >
> > 18:00:02.788023 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
> > request, id 4, seq 59931, length 1480
> > 18:00:02.788030 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
> > 18:00:02.798828 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
> > request, id 4, seq 60187, length 1480
> > 18:00:02.798841 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
> > 18:00:02.809534 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
> > request, id 4, seq 60443, length 1480
> > 18:00:02.809546 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
> > 18:00:02.820274 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
> > request, id 4, seq 60699, length 1480
> > 18:00:02.820286 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
> > 18:00:02.831246 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
> > request, id 4, seq 60955, length 1480
> >
> >
> > Actually, this happened with this PC before - I had our helpdesk check
> > (its on a remote site) it for virus/worms but according to them
> > nothing turned up.
> >
> > I'm thinking this might be a sign that this PC is part of a botnet?
> > How can I be certain?  And what kind of botnet/worm exhibit the
> > behavior as above?
> >
> > Thank you very much.
> >
> >
> >
> > Sincerely,
> > Tony