[Intrusions] 8.1M hits in minutes w/ this traffic ...

Merton Campbell Crockett mcc at CATO.GD-AIS.COM
Mon Oct 11 15:26:18 GMT 2004 

Deutsche Telekom and China Telecom are in a dead-heat when it comes to
providing Internet access to network abusers.

Your systems been compromised and is communicating with a P2P server on a
Deutsche Telekom AG network.  The P2P network allows your system to be
controlled remotely.

Merton Campbell Crockett


On Sun, 10 Oct 2004, Don Murdoch wrote:

> Hi all.  We have had an interesting event this morning after some weekend
> work.  We found a host on our large academic network that was (is) pummeling
> the Crisco 7xxx router into unconciousness.  The machine, w/ some traffic
> identified below, is sending out MILLIONS of packets.  Our sr. net engineer
> (will call him Jim Dandy) put in an ACL to stop it, and the Crisco rolled
> over w/ something like 8M hits in a few minutes.  I am not sure if .. a)
> this is an all out assault or b) it is a misconfigured game server or c) a
> whopping new bot-net thingy (agent or controller) or d) windows xp service
> pack 3 (just kidding on that last one)...... At any rate, I thought at a
> minnimum I would let you all know that there is something which can take
> down an OC3 netowrk on the Inet within minutes, and this is what it looks
> like.  I will post more tomorrow. 
>  
> I doubt the traffic really is SGMP (port 153)....
>  
>  
>  
>  
>  
> Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-10-10 10:48 EDT
> 
> Interesting ports on h078134.s078.dons.net (Dons.Net.78.134): 
> (The 1649 ports scanned but not shown below are in state: closed) 
> PORT     STATE SERVICE 
> 135/tcp  open  msrpc 
> 139/tcp  open  netbios-ssn 
> 153/tcp  open  sgmp 
> 236/tcp  open  unknown 
> 427/tcp  open  svrloc 
> 445/tcp  open  microsoft-ds 
> 666/tcp  open  doom 
> 888/tcp  open  accessbuilder 
> 1025/tcp open  NFS-or-IIS 
> 1763/tcp open  landesk-rc 
>  
>  
>  
> Nmap run completed -- 1 IP address (1 host up) scanned in 17.915 seconds 
>  
>  
>  
> tcpdump contains: 
> 10:31:41.784682 217.224.12.176.1694 > Dons.Net.78.134.153: S
> 830547571:830547571(0) win 64800 <mss 1440,nop,nop,sackOK> (DF) 
> 0x0000   4500 0030 ec77 4000 7206 66e7 d9e0 0cb0        E..0.w at .r.f..... 
> 0x0010   XXXX 4e86 069e 0099 3181 2673 0000 0000        .RN.....1.&s.... 
> 0x0020   7002 fd20 717e 0000 0204 05a0 0101 0402        p...q~.......... 
> 10:31:41.784720 62.139.185.75.2714 > Dons.Net.78.134.153: S
> 2232813922:2232813922(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) 
> 0x0000   4500 0030 8271 4000 6e06 c3a7 3e8b b94b        ..K">E..0.q at .n...
> <mailto:E..0.q at .n...> >..K 
> 0x0010   XXXX 4e86 0a9a 0099 8516 0962 0000 0000        .RN........b.... 
> 0x0020   7002 faf0 27d4 0000 0204 05b4 0101 0402        p...'........... 
> 10:31:41.785258 83.36.88.227.1157 > Dons.Net.78.134.153: S
> 3846402506:3846402506(0) win 16384 <mss 1452,nop,nop,sackOK> (DF) 
> 0x0000   4500 0030 1bce 4000 6b06 791a 5324 58e3        E..0.. at .k.y.S$X. 
> 0x0010   XXXX 4e86 0485 0099 e543 71ca 0000 0000        .RN......Cq..... 
> 0x0020   7002 4000 6c1b 0000 0204 05ac 0101 0402        p. at .l........... 
> 10:31:41.785304 80.39.163.192.1339 > Dons.Net.78.134.153: S
> 1685437835:1685437835(0) win 16384 <mss 1444,nop,nop,sackOK> (DF) 
> 0x0000   4500 0030 04ed 4000 6b06 481b 5027 a3c0        E..0.. at .k.H.P'.. 
> 0x0010   XXXX 4e86 053b 0099 6475 bd8b 0000 0000        .RN..;..du...... 
> 0x0020   7002 4000 589a 0000 0204 05a4 0101 0402        p. at .X........... 
>  
>  10:31:43.851288 Dons.Net.78.134.153 > 217.224.12.176.1694: P 182:1251(1069)
> ack 63 win 17218 (DF) 
> 0x0000   4500 0455 a775 4000 7c06 9dc4 XXXX 4e86        E..U.u at .|....RN. 
> 0x0010   d9e0 0cb0 0099 069e ca6d 1791 3181 26b2        .........m..1.&. 
> 0x0020   5018 4342 ca67 0000 3a73 4572 5665 522e        P.CB.g..:sErVeR. 
> 0x0030   4269 5463 486e 4574 2e6f 7267 2030 3031        BiTcHnEt.org.001 
> 0x0040   2044 4555 7c36 3337 3432 3720 3a57 656c        .DEU|637427.:Wel 
> 0x0050   636f 6d65 2074 6f20 7468 6520 4269 5463        come.to.the.BiTc 
> 0x0060   486e 4574 2d4e 6554 774f 7258 2e6f 7267        HnEt-NeTwOrX.org 
> 0x0070   2049 5243 204e 6574 776f 726b 2044 4555        .IRC.Network.DEU 
> 0x0080   7c36 3337 3432 3721 7469 646d 7072 4032        |637427!tidmpr at 2 
> 0x0090   3137 2e32 3234 2e31 322e 3137 360d 0a3a        17.224.12.176..: 
> 0x00a0   7345 7256 6552 2e42 6954 6348 6e45 742e        sErVeR.BiTcHnEt. 
> 0x00b0   6f72 6720 3030 3220 4445 557c 3633 3734        org.002.DEU|6374 
> 0x00c0   3237 203a 596f 7572 2068 6f73 7420 6973        27.:Your.host.is 
> 0x00d0   2073 4572 5665 522e 4269 5463 486e 4574        .sErVeR.BiTcHnEt 
> 0x00e0   2e6f 7267 2c20 7275 6e6e 696e 6720 7665        .org,.running.ve 
> 0x00f0   7273 696f 6e20 556e 7265 616c 332e 320d        rsion.Unreal3.2. 
> 0x0100   0a3a 7345 7256 6552 2e42 6954 6348 6e45        .:sErVeR.BiTcHnE 
> 0x0110   742e 6f72 6720 3030 3320 4445 557c 3633        t.org.003.DEU|63 
> 0x0120   3734 3237 203a 5468 6973 2073 6572 7665        7427.:This.serve 
> 0x0130   7220 7761 7320 6372 6561 7465 6420 5765        r.was.created.We 
> 0x0140   6420 4170 7220 3238 2031 383a 3135 3a31        d.Apr.28.18:15:1 
> 0x0150   3920 3230 3034 0d0a 3a73 4572 5665 522e        9.2004..:sErVeR. 
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
> 

-- 
BEGIN:				vcard
VERSION:			3.0
FN:				Merton Campbell Crockett
ORG:				General Dynamics Advanced Information Systems;
				Intelligence and Exploitation Systems
N:				Crockett;Merton;Campbell
EMAIL;TYPE=internet:		mcc at CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref:	+1(805)497-5045
TEL;TYPE=work,fax:		+1(805)497-5050
TEL;TYPE=cell,voice,msg:	+1(805)377-6762
END:				vcard

More information about the Intrusions mailing list