[Intrusions] 8.1M hits in minutes w/ this traffic ...
Mary
girltek at sbcglobal.net
Mon Oct 11 15:32:56 GMT 2004
We had this happen twice last week. Infected laptops were placed on the network and beat the hell out of the router. The virus was cleaned but seemed to re-install itself aver and over again. I think our Techs finally got it with Symantecs help, but it was nasty. It was a newer version of RBOT.
girltech
Don Murdoch <djmurd at cox.net> wrote:
Hi all. We have had an interesting event this morning after some weekend
work. We found a host on our large academic network that was (is) pummeling
the Crisco 7xxx router into unconciousness. The machine, w/ some traffic
identified below, is sending out MILLIONS of packets. Our sr. net engineer
(will call him Jim Dandy) put in an ACL to stop it, and the Crisco rolled
over w/ something like 8M hits in a few minutes. I am not sure if .. a)
this is an all out assault or b) it is a misconfigured game server or c) a
whopping new bot-net thingy (agent or controller) or d) windows xp service
pack 3 (just kidding on that last one)...... At any rate, I thought at a
minnimum I would let you all know that there is something which can take
down an OC3 netowrk on the Inet within minutes, and this is what it looks
like. I will post more tomorrow.
I doubt the traffic really is SGMP (port 153)....
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-10-10 10:48 EDT
Interesting ports on h078134.s078.dons.net (Dons.Net.78.134):
(The 1649 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
153/tcp open sgmp
236/tcp open unknown
427/tcp open svrloc
445/tcp open microsoft-ds
666/tcp open doom
888/tcp open accessbuilder
1025/tcp open NFS-or-IIS
1763/tcp open landesk-rc
Nmap run completed -- 1 IP address (1 host up) scanned in 17.915 seconds
tcpdump contains:
10:31:41.784682 217.224.12.176.1694 > Dons.Net.78.134.153: S
830547571:830547571(0) win 64800 (DF)
0x0000 4500 0030 ec77 4000 7206 66e7 d9e0 0cb0 E..0.w at .r.f.....
0x0010 XXXX 4e86 069e 0099 3181 2673 0000 0000 .RN.....1.&s....
0x0020 7002 fd20 717e 0000 0204 05a0 0101 0402 p...q~..........
10:31:41.784720 62.139.185.75.2714 > Dons.Net.78.134.153: S
2232813922:2232813922(0) win 64240 (DF)
0x0000 4500 0030 8271 4000 6e06 c3a7 3e8b b94b ..K">E..0.q at .n...
>..K
0x0010 XXXX 4e86 0a9a 0099 8516 0962 0000 0000 .RN........b....
0x0020 7002 faf0 27d4 0000 0204 05b4 0101 0402 p...'...........
10:31:41.785258 83.36.88.227.1157 > Dons.Net.78.134.153: S
3846402506:3846402506(0) win 16384 (DF)
0x0000 4500 0030 1bce 4000 6b06 791a 5324 58e3 E..0.. at .k.y.S$X.
0x0010 XXXX 4e86 0485 0099 e543 71ca 0000 0000 .RN......Cq.....
0x0020 7002 4000 6c1b 0000 0204 05ac 0101 0402 p. at .l...........
10:31:41.785304 80.39.163.192.1339 > Dons.Net.78.134.153: S
1685437835:1685437835(0) win 16384 (DF)
0x0000 4500 0030 04ed 4000 6b06 481b 5027 a3c0 E..0.. at .k.H.P'..
0x0010 XXXX 4e86 053b 0099 6475 bd8b 0000 0000 .RN..;..du......
0x0020 7002 4000 589a 0000 0204 05a4 0101 0402 p. at .X...........
10:31:43.851288 Dons.Net.78.134.153 > 217.224.12.176.1694: P 182:1251(1069)
ack 63 win 17218 (DF)
0x0000 4500 0455 a775 4000 7c06 9dc4 XXXX 4e86 E..U.u at .|....RN.
0x0010 d9e0 0cb0 0099 069e ca6d 1791 3181 26b2 .........m..1.&.
0x0020 5018 4342 ca67 0000 3a73 4572 5665 522e P.CB.g..:sErVeR.
0x0030 4269 5463 486e 4574 2e6f 7267 2030 3031 BiTcHnEt.org.001
0x0040 2044 4555 7c36 3337 3432 3720 3a57 656c .DEU|637427.:Wel
0x0050 636f 6d65 2074 6f20 7468 6520 4269 5463 come.to.the.BiTc
0x0060 486e 4574 2d4e 6554 774f 7258 2e6f 7267 HnEt-NeTwOrX.org
0x0070 2049 5243 204e 6574 776f 726b 2044 4555 .IRC.Network.DEU
0x0080 7c36 3337 3432 3721 7469 646d 7072 4032 |637427!tidmpr at 2
0x0090 3137 2e32 3234 2e31 322e 3137 360d 0a3a 17.224.12.176..:
0x00a0 7345 7256 6552 2e42 6954 6348 6e45 742e sErVeR.BiTcHnEt.
0x00b0 6f72 6720 3030 3220 4445 557c 3633 3734 org.002.DEU|6374
0x00c0 3237 203a 596f 7572 2068 6f73 7420 6973 27.:Your.host.is
0x00d0 2073 4572 5665 522e 4269 5463 486e 4574 .sErVeR.BiTcHnEt
0x00e0 2e6f 7267 2c20 7275 6e6e 696e 6720 7665 .org,.running.ve
0x00f0 7273 696f 6e20 556e 7265 616c 332e 320d rsion.Unreal3.2.
0x0100 0a3a 7345 7256 6552 2e42 6954 6348 6e45 .:sErVeR.BiTcHnE
0x0110 742e 6f72 6720 3030 3320 4445 557c 3633 t.org.003.DEU|63
0x0120 3734 3237 203a 5468 6973 2073 6572 7665 7427.:This.serve
0x0130 7220 7761 7320 6372 6561 7465 6420 5765 r.was.created.We
0x0140 6420 4170 7220 3238 2031 383a 3135 3a31 d.Apr.28.18:15:1
0x0150 3920 3230 3034 0d0a 3a73 4572 5665 522e 9.2004..:sErVeR.
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
More information about the Intrusions
mailing list