[Intrusions] LOGS:GIAC GCIA Version 3.5 Pratical Detect Dante Winslow
Samuel Adams
jipajapa at gmail.com
Tue Nov 30 15:51:41 GMT 2004
Some good analysis - I certainly learned some things while
reading/responding to this. Responses included below...
> The Snort alert "Backdoor Q Access" was triggered when evaluating the file. The packets that set off this alert all came from an apparent broadcast source IP address of 255.255.255.255 on source port 31337 directed at hosts of the protected network on destination port 515/tcp. Also, the Ethernet headers of these packets all contained the same MAC addresses. Moreover, the numbers on the time to lives (ttls) of these packets are relatively small, hop counts ranging from 12 to 15. These elements suggest that the attacker is on a network other than the protected network, but that network is also not far away from the protected network.
>
The identical MAC addresses can be explained by the packets passing
through the same router. Are you sure you want to draw conclusions
about the source from those? Particularly since they are part of a
Cisco block and therefore more likely to be routers? Do you think the
IDS is located inside or outside the exterior router? Or somewhere
else? Wouldn't all packets destined for the IDS most likely come from
one router in most feasible locations?
Looking through the collection of passive fingerprints generated by
the smart folks who wrote p0f (http://lcamtuf.coredump.cx/p0f.shtml)
it looks like most TTLs are a power of 2 - all the ones I've seen are
at least 32. If you've got a hop count at 12-15 and started off at 32
or better yet 64 - I don't see the source system being all that close.
What made you draw that conclusion?
> In addition to parsing the file against Snort, this binary log file was also filtered through Ethereal (Version 0.10.12). Filtering through Ethereal revealed 27 instances of logs with the source IP address of 255.255.255.255 and the source port of 31337. Conjointly these 27 instances all were destined for the protected network on port 515/tcp.
>
Did you look for packets with a source address of 255.255.255.255 and
a source port other than 31337? What are the chances this traffic is
the result of a misconfiguration of some kind?
> Example Ethereal Dump:
>08/24/02-22:05:30.964488 255.255.255.255:31337 -> MY.NET.164.100:515
>TCP TTL:14 TOS:0x0 ID:0 IpLen:20 DgmLen:43
>***A*R** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20
>63 6B 6F cko
>
Interestingly enough, SANS has a FAQ on the Q trojan. One thing it
mentions is that the sequence number, acknowledgement number and
window size are randomly generated. That does not appear to be the
case here. Perhaps the other alerts are different. Have a look if you
get a chance: http://www.sans.org/resources/idfaq/qtrojan.php
> seemly targeted against internal addresses on port 515, normally used by the LPD daemon
I think you were looking for the word seemingly here.
Hope this helps. Cheers,
Sam Adams
More information about the Intrusions
mailing list