[Dshield] Possible Bot?

Bijendra Singh bijendra at gmail.com
Sat May 10 20:01:16 GMT 2008


Use common techniqiues like:
- check what applications are running on the PC. If this is Windows PC,
  Taskmanager would give you general idea about possible suspects.
   Check CPU load etc.
- check where the traffic is headed, if it is randomly scanning IPs then
  it may be a suspect.
- use tools which can give complete details on network activity for
  24 hours and analyze the traffic.


I recently debugged similar issue for customer test lab and deletion
of a p2p client, which was living there for long time, solved the problem.


Bijendra

On Sat, May 10, 2008 at 9:48 AM, Tony Raboza <tonyraboza at gmail.com> wrote:
> Hi,
>
> I saw on our MRTG graph and monitoring tool that a PC on our LAN is
> sending out large ICMP traffic to a public IP address.  Upon checking
> on our Internet gateway, I saw this (output of tcpdump - I purposedly
> changed the IP addresses):
>
> 18:00:02.788023 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
> request, id 4, seq 59931, length 1480
> 18:00:02.788030 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
> 18:00:02.798828 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
> request, id 4, seq 60187, length 1480
> 18:00:02.798841 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
> 18:00:02.809534 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
> request, id 4, seq 60443, length 1480
> 18:00:02.809546 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
> 18:00:02.820274 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
> request, id 4, seq 60699, length 1480
> 18:00:02.820286 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
> 18:00:02.831246 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
> request, id 4, seq 60955, length 1480
>
>
> Actually, this happened with this PC before - I had our helpdesk check
> (its on a remote site) it for virus/worms but according to them
> nothing turned up.
>
> I'm thinking this might be a sign that this PC is part of a botnet?
> How can I be certain?  And what kind of botnet/worm exhibit the
> behavior as above?
>
> Thank you very much.
>
>
>
> Sincerely,
> Tony
> _________________________________________
> SANSFIRE !! The Internet Storm Center Conference
> http://www.sans.org/sansfire08/
>


More information about the list mailing list