Network Security: Detailed info on Possible Zombie/Bot?

Subject:	Possible Zombie/Bot?
Date:	Mon, 12 May 2008 21:08:22 +0800

Hi,

I saw on our MRTG graph and monitoring tool that a PC on our LAN is
sending out large ICMP traffic to a public IP address.  Upon checking
on our Internet gateway, I saw this:

09:23:23.062502 IP 172.16.210.210 > ns2.majordomo.ru: ICMP echo
request, id 43013, seq 511, length 1480
09:23:23.062520 IP 172.16.210.210 > ns2.majordomo.ru: icmp
09:23:23.064457 IP 172.16.210.210 > 81.177.45.191: ICMP echo request,
id 43013, seq 767, length 1480
09:23:23.064484 IP 172.16.210.210 > 81.177.45.191: icmp
09:23:23.073248 IP 172.16.210.210 > ns2.majordomo.ru: ICMP echo
request, id 43013, seq 1023, length 1480
09:23:23.073275 IP 172.16.210.210 > ns2.majordomo.ru: icmp
09:23:23.075211 IP 172.16.210.210 > 81.177.45.191: ICMP echo request,
id 43013, seq 1279, length 1480
09:23:23.075242 IP 172.16.210.210 > 81.177.45.191: icmp
09:23:23.083989 IP 172.16.210.210 > ns2.majordomo.ru: ICMP echo
request, id 43013, seq 1535, length 1480
09:23:23.084017 IP 172.16.210.210 > ns2.majordomo.ru: icmp


I also did a tcpdump -X and I got this:


09:26:59.840419 IP (tos 0x0, ttl 126, id 13198, offset 0, flags [+],
proto: ICMP (1), length: 1500) 172.16.210.210

81.177.45.191: ICMP echo request, id 43013, seq 39068, length 1480

        0x0000:  4500 05dc 338e 2000 7e01 e53f ac10 d2d2  E...3...~..?....
        0x0010:  51b1 2dbf 0800 d5d5 a805 989c 4c37 4500  Q.-.........L7E.
        0x0020:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0030:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0040:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0050:  c8c8                                     ..
09:26:59.840449 IP (tos 0x0, ttl 125, id 13198, offset 1480, flags
[none], proto: ICMP (1), length: 552) 172.16.21
0.210 > 81.177.45.191: icmp
        0x0000:  4500 0228 338e 00b9 7d01 093b ac10 d2d2  E..(3...}..;....
        0x0010:  51b1 2dbf c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  Q.-.............
        0x0020:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0030:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0040:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0050:  c8c8                                     ..
09:26:59.841432 IP (tos 0x0, ttl 126, id 13199, offset 0, flags [+],
proto: ICMP (1), length: 1500) 172.16.210.210

78.108.89.252: ICMP echo request, id 43013, seq 39324, length 1480

        0x0000:  4500 05dc 338f 2000 7e01 bc46 ac10 d2d2  E...3...~..F....
        0x0010:  4e6c 59fc 0800 d4d5 a805 999c 4c37 4500  NlY.........L7E.
        0x0020:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0030:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0040:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0050:  c8c8                                     ..
09:26:59.841460 IP (tos 0x0, ttl 125, id 13199, offset 1480, flags
[none], proto: ICMP (1), length: 552) 172.16.21
0.210 > 78.108.89.252: icmp
        0x0000:  4500 0228 338f 00b9 7d01 e041 ac10 d2d2  E..(3...}..A....
        0x0010:  4e6c 59fc c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  NlY.............
        0x0020:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0030:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0040:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0050:  c8c8                                     ..
09:26:59.851421 IP (tos 0x0, ttl 126, id 13200, offset 0, flags [+],
proto: ICMP (1), length: 1500) 172.16.210.210

81.177.45.191: ICMP echo request, id 43013, seq 39580, length 1480

        0x0000:  4500 05dc 3390 2000 7e01 e53d ac10 d2d2  E...3...~..=....
        0x0010:  51b1 2dbf 0800 d3d5 a805 9a9c 4c37 4500  Q.-.........L7E.
        0x0020:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0030:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0040:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0050:  c8c8                                     ..
09:26:59.851446 IP (tos 0x0, ttl 125, id 13200, offset 1480, flags
[none], proto: ICMP (1), length: 552) 172.16.21
0.210 > 81.177.45.191: icmp
        0x0000:  4500 0228 3390 00b9 7d01 0939 ac10 d2d2  E..(3...}..9....
        0x0010:  51b1 2dbf c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  Q.-.............
        0x0020:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0030:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0040:  c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8 c8c8  ................
        0x0050:  c8c8                                     ..
09:26:59.852135 IP (tos 0x0, ttl 126, id 13201, offset 0, flags [+],
proto: ICMP (1), length: 1500) 172.16.210.210

78.108.89.252: ICMP echo request, id 43013, seq 39836, length 1480

        0x0000:  4500 05dc 3391 2000 7e01 bc44 ac10 d2d2  E...3...~..D....
        0x0010:  4e6c 59fc 0800 0417 a805 9b9c 5c37 4500  NlY.........\7E.
        0x0020:  d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8  ................
        0x0030:  d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8  ................
        0x0040:  d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8 d8d8  ................
        0x0050:  d8d8                                     ..


Actually, this happened with this PC before - I had our helpdesk check
(its on a remote site) it for virus/worms but according to them
nothing turned up.

I turned on Snort on our Linux router (I don't leave snort on as this router
is quite underpowered already):

05/12-11:45:41.791708  [**] [123:8:1]  <any> (spp_frag3) Fragmentation
overlap [**] [Priority: 3] {ICMP} 172.16.21
0.210 -> 78.108.89.252
05/12-11:45:41.791813  [**] [123:8:1]  <any> (spp_frag3) Fragmentation
overlap [**] [Priority: 3] {ICMP} 172.16.21
0.210 -> 81.177.45.191


The PC is on a remote office of ours.  I was able to investigate it partially -
established a Netmeeting session with it and checked using Netstat - but nothing
turned up.  The anti-virus installed (McAfee) has the latest updates.

I'm thinking this might be a sign that this PC is part of a botnet?
How can I be certain?  And what kind of botnet/worm exhibit the
behavior as above?

Thank you very much.



Sincerely,
Tony

<Prev in Thread]	Current Thread	[Next in Thread>
Possible Zombie/Bot?, Tony Raboza <= Re: Possible Zombie/Bot?, john lokka RE: Possible Zombie/Bot?, admin Re: Possible Zombie/Bot?, xelerated

Previous by Date:	Re: Malware IRC/DNS Network Activity, Matteo Cantoni
Next by Date:	Distributed Bruteforce against SSH, Gary Baribault
Previous by Thread:	Malware IRC/DNS Network Activity, Matteo Cantoni
Next by Thread:	Re: Possible Zombie/Bot?, john lokka
Indexes:	[Date] [Thread] [Top] [All Lists]