427 Botnet fm qxd

Download 6,98 Mb.

Pdf ko'rish

bet	259/387
Sana	03.12.2022
Hajmi	6,98 Mb.
	#878307

1 ... 255 256 257 258 259 260 261 262 ... 387

Bog'liq
Botnets - The killer web applications

www.syngress.com
Advanced Ourmon Techniques • Chapter 9
319
427_Botnet_09.qxd 1/8/07 4:45 PM Page 319

back-end software feature.This is shown in the first line above. As a result you
are told the IP address of the violator, and in fact the entire UDP port report
line is put in as well. Ironically, in this case if you have any experience, you
probably don’t need to go look at the packet data. Why? Because you see that
a lot of UDP packets (15 million in 30 seconds) were sent to one IP destina-
tion at one port and the port in question was 6667 (which is an IRC port,
but IRC uses TCP). It smacks too much of a retaliatory UDP DOS attack.
The trigger-on and trigger-off messages also provide useful information. For
example, the trigger-on message shows the configured threshold and gives the
filename in which we hope to find packets.The real filename is:
/usr/dumps/topn_udp_err.<10.08.2006|06:48:09>.dmp
So let’s actually use the tcpdump utility and look at the packet dump.To
do this, we have to change directory to our configured directory on the
probe system and invoke the tcpdump utility on the filename.The dump file-
names are cumbersome and are not something you ever want to type in.The
best thing to do is to use cut and paste. One problem with the current syntax
is that it defeats the Unix shell because of the > and < characters and the |
(pipe) character as well; this should be fixed in a future release. In general, you
want to put quotes around the filename as a result. So, assume that you cut
and paste and feed the filename to tcpdump as follows:
# tcpdump –n –X –r
"/usr/dumps/topn_udp_err.<10.08.2006|06:48:09>.dmp" |
more
It is worth pointing out that we can use shell wildcard characters and
cheat without using the full filename, like this:
# tcpdump –n –X –r *10.08.2006*06:48* | more
So,
–n
means no reverse pointer DNS lookup,
-X
means that you want a
hexdump and a traditional ASCII translation (if available) on the right-hand
side of the packet contents, and
–r
tells tcpdump to take its input from a file,
not the network. As a result, we get something like the following:
03:48:29.258236 192.168.125.43.35415 > 10.0.49.145.6667: udp 10 (DF)
0x0000
4500 0026 6475 4000 3f11 07ea XXXX XXXX
E..&du@.?.......
0x0010
XXXX XXXX 8a57 1a0b 0012 86f5 3031 3233
.............0123
0x0020
3435 3637 3839 0000 0000 0000 0000
456789........
03:48:29.258239 192.168.125.43.35415 > 10.0.49.145.6667: udp 10 (DF)

Download 6,98 Mb.

Do'stlaringiz bilan baham:

1 ... 255 256 257 258 259 260 261 262 ... 387