[Dshield] Possible Bot?

Nicolas Villatte nicolas.villatte at gmail.com
Sun May 11 06:27:58 GMT 2008


Tony, the best way to be sure is to investigate the host.
You could capture the data of the ICMP packets and look into it.
In case of doubt you should first disconnect this host from the network.

Nicolas.

On Sat, May 10, 2008 at 4:48 PM, Tony Raboza <tonyraboza at gmail.com> wrote:

> Hi,
>
> I saw on our MRTG graph and monitoring tool that a PC on our LAN is
> sending out large ICMP traffic to a public IP address.  Upon checking
> on our Internet gateway, I saw this (output of tcpdump - I purposedly
> changed the IP addresses):
>
> 18:00:02.788023 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
> request, id 4, seq 59931, length 1480
> 18:00:02.788030 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
> 18:00:02.798828 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
> request, id 4, seq 60187, length 1480
> 18:00:02.798841 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
> 18:00:02.809534 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
> request, id 4, seq 60443, length 1480
> 18:00:02.809546 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
> 18:00:02.820274 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
> request, id 4, seq 60699, length 1480
> 18:00:02.820286 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
> 18:00:02.831246 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
> request, id 4, seq 60955, length 1480
>
>
> Actually, this happened with this PC before - I had our helpdesk check
> (its on a remote site) it for virus/worms but according to them
> nothing turned up.
>
> I'm thinking this might be a sign that this PC is part of a botnet?
> How can I be certain?  And what kind of botnet/worm exhibit the
> behavior as above?
>
> Thank you very much.
>
>
>
> Sincerely,
> Tony
> _________________________________________
> SANSFIRE !! The Internet Storm Center Conference
> http://www.sans.org/sansfire08/
>


More information about the list mailing list