Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Basics: Re: Possible Bot?

Re: Possible Bot?

From: Adriel Desautels <adriel_at_netragard.com>
Date: Mon, 12 May 2008 17:05:15 -0400

Hi Tony,
        I'd suggest setting up a sniffer and capturing some of the packets in
question. If you do, feel free to email me a small dump and I'll give it
a quick look for you. I'd also suggest setting up snort to see if it
catches anything (granted these days IDS evasion is common).

Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com - "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know : http://tinyurl.com/26pjsn

Tony Raboza wrote:
> Hi,
>
> I saw on our MRTG graph and monitoring tool that a PC on our LAN is
> sending out large ICMP traffic to a public IP address. Upon checking
> on our Internet gateway, I saw this (output of tcpdump - I purposedly
> changed the IP addresses):
>
> 18:00:02.788023 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
> request, id 4, seq 59931, length 1480
> 18:00:02.788030 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
> 18:00:02.798828 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
> request, id 4, seq 60187, length 1480
> 18:00:02.798841 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
> 18:00:02.809534 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
> request, id 4, seq 60443, length 1480
> 18:00:02.809546 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
> 18:00:02.820274 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
> request, id 4, seq 60699, length 1480
> 18:00:02.820286 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
> 18:00:02.831246 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
> request, id 4, seq 60955, length 1480
>
>
> Actually, this happened with this PC before - I had our helpdesk check
> (its on a remote site) it for virus/worms but according to them
> nothing turned up.
>
> I'm thinking this might be a sign that this PC is part of a botnet?
> How can I be certain? And what kind of botnet/worm exhibit the
> behavior as above?
>
> Thank you very much.
>
>
>
> Sincerely,
> Tony
Received on May 12 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]