[Dshield] Possible Bot?

Tony Raboza tonyraboza at gmail.com
Mon May 12 13:12:16 GMT 2008


Hi everyone,

Thanks to all those who replied on and off-list.  Anyway, the incident
happened again today (I'm now posting the real LAN IP and public IP
addresses):

tcpdump:

09:23:23.062502 IP 172.16.210.210 > ns2.majordomo.ru: ICMP echo
request, id 43013, seq 511, length 1480
09:23:23.062520 IP 172.16.210.210 > ns2.majordomo.ru: icmp
09:23:23.064457 IP 172.16.210.210 > 81.177.45.191: ICMP echo request,
id 43013, seq 767, length 1480
09:23:23.064484 IP 172.16.210.210 > 81.177.45.191: icmp
09:23:23.073248 IP 172.16.210.210 > ns2.majordomo.ru: ICMP echo
request, id 43013, seq 1023, length 1480
09:23:23.073275 IP 172.16.210.210 > ns2.majordomo.ru: icmp
09:23:23.075211 IP 172.16.210.210 > 81.177.45.191: ICMP echo request,
id 43013, seq 1279, length 1480
09:23:23.075242 IP 172.16.210.210 > 81.177.45.191: icmp
09:23:23.083989 IP 172.16.210.210 > ns2.majordomo.ru: ICMP echo
request, id 43013, seq 1535, length 1480
09:23:23.084017 IP 172.16.210.210 > ns2.majordomo.ru: icmp


tcpdump -X

09:26:59.840419 IP (tos 0x0, ttl 126, id 13198, offset 0, flags [+],
proto: ICMP (1), length: 1500) 172.16.210.210
 > 81.177.45.191: ICMP echo request, id 43013, seq 39068, length 1480
        0x0000:  4500 05dc 338e 2000 7e01 e53f ac10 d2d2  E...3...~..?....
        0x0010:  51b1 2dbf 0800 d5d5 a805 989c 4c37 4500  Q.-.........L7E.
        0x0020:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0030:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0040:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0050:  c8c8                                     ..
09:26:59.840449 IP (tos 0x0, ttl 125, id 13198, offset 1480, flags
[none], proto: ICMP (1), length: 552) 172.16.21
0.210 > 81.177.45.191: icmp
        0x0000:  4500 0228 338e 00b9 7d01 093b ac10 d2d2  E..(3...}..;....
        0x0010:  51b1 2dbf c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  Q.-.............
        0x0020:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0030:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0040:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0050:  c8c8                                     ..
09:26:59.841432 IP (tos 0x0, ttl 126, id 13199, offset 0, flags [+],
proto: ICMP (1), length: 1500) 172.16.210.210
 > 78.108.89.252: ICMP echo request, id 43013, seq 39324, length 1480
        0x0000:  4500 05dc 338f 2000 7e01 bc46 ac10 d2d2  E...3...~..F....
        0x0010:  4e6c 59fc 0800 d4d5 a805 999c 4c37 4500  NlY.........L7E.
        0x0020:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0030:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0040:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0050:  c8c8                                     ..
09:26:59.841460 IP (tos 0x0, ttl 125, id 13199, offset 1480, flags
[none], proto: ICMP (1), length: 552) 172.16.21
0.210 > 78.108.89.252: icmp
        0x0000:  4500 0228 338f 00b9 7d01 e041 ac10 d2d2  E..(3...}..A....
        0x0010:  4e6c 59fc c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  NlY.............
        0x0020:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0030:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0040:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0050:  c8c8                                     ..
09:26:59.851421 IP (tos 0x0, ttl 126, id 13200, offset 0, flags [+],
proto: ICMP (1), length: 1500) 172.16.210.210
 > 81.177.45.191: ICMP echo request, id 43013, seq 39580, length 1480
        0x0000:  4500 05dc 3390 2000 7e01 e53d ac10 d2d2  E...3...~..=....
        0x0010:  51b1 2dbf 0800 d3d5 a805 9a9c 4c37 4500  Q.-.........L7E.
        0x0020:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0030:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0040:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0050:  c8c8                                     ..
09:26:59.851446 IP (tos 0x0, ttl 125, id 13200, offset 1480, flags
[none], proto: ICMP (1), length: 552) 172.16.21
0.210 > 81.177.45.191: icmp
        0x0000:  4500 0228 3390 00b9 7d01 0939 ac10 d2d2  E..(3...}..9....
        0x0010:  51b1 2dbf c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  Q.-.............
        0x0020:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0030:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0040:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0050:  c8c8                                     ..
09:26:59.852135 IP (tos 0x0, ttl 126, id 13201, offset 0, flags [+],
proto: ICMP (1), length: 1500) 172.16.210.210
 > 78.108.89.252: ICMP echo request, id 43013, seq 39836, length 1480
        0x0000:  4500 05dc 3391 2000 7e01 bc44 ac10 d2d2  E...3...~..D....
        0x0010:  4e6c 59fc 0800 0417 a805 9b9c 5c37 4500  NlY.........\7E.
        0x0020:  d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8  ................
        0x0030:  d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8  ................
        0x0040:  d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8  ................
        0x0050:  d8d8                                     ..


I turned on Snort on our Linux router (I don't leave snort on as this router
is quite underpowered already):

05/12-11:45:41.791708  [**] [123:8:1]  <any> (spp_frag3) Fragmentation
overlap [**] [Priority: 3] {ICMP} 172.16.21
0.210 -> 78.108.89.252
05/12-11:45:41.791813  [**] [123:8:1]  <any> (spp_frag3) Fragmentation
overlap [**] [Priority: 3] {ICMP} 172.16.21
0.210 -> 81.177.45.191


The PC is on a remote office of ours.  I was able to investigate it partially -
established a Netmeeting session with it and checked using Netstat -
but nothing turned up.  I wished that I could have installed Wireshark
(ethereal) on it for packet captures from that machine.  The
anti-virus installed (McAfee) has the latest updates.

What do you think?

Thanks.



Regards,
Tony

On Sat, May 10, 2008 at 10:48 PM, Tony Raboza <tonyraboza at gmail.com> wrote:
> Hi,
>
>  I saw on our MRTG graph and monitoring tool that a PC on our LAN is
>  sending out large ICMP traffic to a public IP address.  Upon checking
>  on our Internet gateway, I saw this (output of tcpdump - I purposedly
>  changed the IP addresses):
>
>  18:00:02.788023 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
>  request, id 4, seq 59931, length 1480
>  18:00:02.788030 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
>  18:00:02.798828 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
>  request, id 4, seq 60187, length 1480
>  18:00:02.798841 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
>  18:00:02.809534 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
>  request, id 4, seq 60443, length 1480
>  18:00:02.809546 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
>  18:00:02.820274 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
>  request, id 4, seq 60699, length 1480
>  18:00:02.820286 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
>  18:00:02.831246 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
>  request, id 4, seq 60955, length 1480
>
>
>  Actually, this happened with this PC before - I had our helpdesk check
>  (its on a remote site) it for virus/worms but according to them
>  nothing turned up.
>
>  I'm thinking this might be a sign that this PC is part of a botnet?
>  How can I be certain?  And what kind of botnet/worm exhibit the
>  behavior as above?
>
>  Thank you very much.
>
>
>
>  Sincerely,
>  Tony
>


More information about the list mailing list