[Intrusions] 8.1M hits in minutes w/ this traffic ...

Joel Esler esler at knology.net
Mon Oct 11 19:46:38 GMT 2004 

Of course at first this appears to be botnet. There is absolutely no 
way of knowing for sure with the information provided, however, at 
first initial glance from data provided, this seems like a likely 
attack vector.

J

On Oct 10, 2004, at 3:54 PM, Don Murdoch wrote:

> Hi all.  We have had an interesting event this morning after some 
> weekend
> work.  We found a host on our large academic network that was (is) 
> pummeling
> the Crisco 7xxx router into unconciousness.  The machine, w/ some 
> traffic
> identified below, is sending out MILLIONS of packets.  Our sr. net 
> engineer
> (will call him Jim Dandy) put in an ACL to stop it, and the Crisco 
> rolled
> over w/ something like 8M hits in a few minutes.  I am not sure if .. 
> a)
> this is an all out assault or b) it is a misconfigured game server or 
> c) a
> whopping new bot-net thingy (agent or controller) or d) windows xp 
> service
> pack 3 (just kidding on that last one)...... At any rate, I thought at 
> a
> minnimum I would let you all know that there is something which can 
> take
> down an OC3 netowrk on the Inet within minutes, and this is what it 
> looks
> like.  I will post more tomorrow.
>
> I doubt the traffic really is SGMP (port 153)....
>
>
>
>
>
> Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-10-10 
> 10:48 EDT
>
> Interesting ports on h078134.s078.dons.net (Dons.Net.78.134):
> (The 1649 ports scanned but not shown below are in state: closed)
> PORT     STATE SERVICE
> 135/tcp  open  msrpc
> 139/tcp  open  netbios-ssn
> 153/tcp  open  sgmp
> 236/tcp  open  unknown
> 427/tcp  open  svrloc
> 445/tcp  open  microsoft-ds
> 666/tcp  open  doom
> 888/tcp  open  accessbuilder
> 1025/tcp open  NFS-or-IIS
> 1763/tcp open  landesk-rc
>
>
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 17.915 
> seconds
>
>
>
> tcpdump contains:
> 10:31:41.784682 217.224.12.176.1694 > Dons.Net.78.134.153: S
> 830547571:830547571(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
> 0x0000   4500 0030 ec77 4000 7206 66e7 d9e0 0cb0        
> E..0.w at .r.f.....
> 0x0010   XXXX 4e86 069e 0099 3181 2673 0000 0000        
> .RN.....1.&s....
> 0x0020   7002 fd20 717e 0000 0204 05a0 0101 0402        
> p...q~..........
> 10:31:41.784720 62.139.185.75.2714 > Dons.Net.78.134.153: S
> 2232813922:2232813922(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 0x0000   4500 0030 8271 4000 6e06 c3a7 3e8b b94b        
> ..K">E..0.q at .n...
> <mailto:E..0.q at .n...> >..K
> 0x0010   XXXX 4e86 0a9a 0099 8516 0962 0000 0000        
> .RN........b....
> 0x0020   7002 faf0 27d4 0000 0204 05b4 0101 0402        
> p...'...........
> 10:31:41.785258 83.36.88.227.1157 > Dons.Net.78.134.153: S
> 3846402506:3846402506(0) win 16384 <mss 1452,nop,nop,sackOK> (DF)
> 0x0000   4500 0030 1bce 4000 6b06 791a 5324 58e3        
> E..0.. at .k.y.S$X.
> 0x0010   XXXX 4e86 0485 0099 e543 71ca 0000 0000        
> .RN......Cq.....
> 0x0020   7002 4000 6c1b 0000 0204 05ac 0101 0402        
> p. at .l...........
> 10:31:41.785304 80.39.163.192.1339 > Dons.Net.78.134.153: S
> 1685437835:1685437835(0) win 16384 <mss 1444,nop,nop,sackOK> (DF)
> 0x0000   4500 0030 04ed 4000 6b06 481b 5027 a3c0        
> E..0.. at .k.H.P'..
> 0x0010   XXXX 4e86 053b 0099 6475 bd8b 0000 0000        
> .RN..;..du......
> 0x0020   7002 4000 589a 0000 0204 05a4 0101 0402        
> p. at .X...........
>
>  10:31:43.851288 Dons.Net.78.134.153 > 217.224.12.176.1694: P 
> 182:1251(1069)
> ack 63 win 17218 (DF)
> 0x0000   4500 0455 a775 4000 7c06 9dc4 XXXX 4e86        
> E..U.u at .|....RN.
> 0x0010   d9e0 0cb0 0099 069e ca6d 1791 3181 26b2        
> .........m..1.&.
> 0x0020   5018 4342 ca67 0000 3a73 4572 5665 522e        
> P.CB.g..:sErVeR.
> 0x0030   4269 5463 486e 4574 2e6f 7267 2030 3031        
> BiTcHnEt.org.001
> 0x0040   2044 4555 7c36 3337 3432 3720 3a57 656c        
> .DEU|637427.:Wel
> 0x0050   636f 6d65 2074 6f20 7468 6520 4269 5463        
> come.to.the.BiTc
> 0x0060   486e 4574 2d4e 6554 774f 7258 2e6f 7267        
> HnEt-NeTwOrX.org
> 0x0070   2049 5243 204e 6574 776f 726b 2044 4555        
> .IRC.Network.DEU
> 0x0080   7c36 3337 3432 3721 7469 646d 7072 4032        
> |637427!tidmpr at 2
> 0x0090   3137 2e32 3234 2e31 322e 3137 360d 0a3a        
> 17.224.12.176..:
> 0x00a0   7345 7256 6552 2e42 6954 6348 6e45 742e        
> sErVeR.BiTcHnEt.
> 0x00b0   6f72 6720 3030 3220 4445 557c 3633 3734        
> org.002.DEU|6374
> 0x00c0   3237 203a 596f 7572 2068 6f73 7420 6973        
> 27.:Your.host.is
> 0x00d0   2073 4572 5665 522e 4269 5463 486e 4574        
> .sErVeR.BiTcHnEt
> 0x00e0   2e6f 7267 2c20 7275 6e6e 696e 6720 7665        
> .org,.running.ve
> 0x00f0   7273 696f 6e20 556e 7265 616c 332e 320d        
> rsion.Unreal3.2.
> 0x0100   0a3a 7345 7256 6552 2e42 6954 6348 6e45        
> .:sErVeR.BiTcHnE
> 0x0110   742e 6f72 6720 3030 3320 4445 557c 3633        
> t.org.003.DEU|63
> 0x0120   3734 3237 203a 5468 6973 2073 6572 7665        
> 7427.:This.serve
> 0x0130   7220 7761 7320 6372 6561 7465 6420 5765        
> r.was.created.We
> 0x0140   6420 4170 7220 3238 2031 383a 3135 3a31        
> d.Apr.28.18:15:1
> 0x0150   3920 3230 3034 0d0a 3a73 4572 5665 522e        
> 9.2004..:sErVeR.
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>

More information about the Intrusions mailing list