[Dshield] Re: Dshield digest, Vol 1 #331 - 2 msgs

T C Lipe lipet at basf-corp.com
Mon Nov 12 18:00:21 GMT 2001


Sorry to change the subject.
I have a situation.  I have been successfully attacked internally.
We have discovered the use of a device known as "KEYKatcher"
the devise was used to steal proprietary and confidential information.
Does anyone have information on how to detect this device on a Netware
network?

TC






dshield-request at dshield.org on 11/12/2001 11:01:51 AM

Please respond to dshield at dshield.org
To:   dshield
cc:
Subject:  Dshield digest, Vol 1 #331 - 2 msgs



Send Dshield mailing list submissions to
     dshield at dshield.org

To subscribe or unsubscribe via the World Wide Web, visit
     http://www1.dshield.org/mailman/listinfo/dshield
or, via email, send a message with subject or body 'help' to
     dshield-request at dshield.org

You can reach the person managing the list at
     dshield-admin at dshield.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dshield digest..."


Today's Topics:

   1. RE: Unusual snort traffic (Chan, Stephen (TIS, Singapore))
   2. Re: Unusual snort traffic (John Sage)

--__--__--

Message: 1
From: "Chan, Stephen (TIS, Singapore)" <stephen_chan at sg.ml.com>
To: "'dshield at dshield.org'" <dshield at dshield.org>
Cc: "'John Sage'" <jsage at finchhaven.com>
Subject: RE: [Dshield] Unusual snort traffic
Date: Mon, 12 Nov 2001 09:42:41 +0800
Reply-To: dshield at dshield.org

Holy Netscans Batman! That is a mighty fine piece of investigative legwork.
*Hats off*
Thanks for the detailed followup John :-) I did conduct my own digging
around, but got nowhere as detailed as you got.

I doubt if my network is a 'smurf amplifier' but might be a good idea to run
the netscan on myself...


Thanks again


-----Original Message-----
From: John Sage [mailto:jsage at finchhaven.com]
Sent: Sunday, November 11, 2001 12:28 PM
To: dshield at dshield.org
Cc: stephen_chan at sg.ml.com
Subject: Re: [Dshield] Unusual snort traffic


Stephen:

<long, but maybe worth it...>

At the risk of stating the obvious, the traffic itself is pings.

Let's order the last entries by time, and then look around:


timestamp,            proto,       msg,
src,dst,srcport,dstport,icmptype,icmpcode,icmpid,icmpseq,ttl,tos,id,iplen,dg
mlen

11/08-18:03:24.963067 ,ICMP,ICMP Unknown Type,
209.221.176.6,255.255.255.255,,,8,0,19458,39430,52,0,0,20,40

11/08-18:03:24.980872 ,ICMP,ICMP Unknown Type,
209.221.176.6,    xx.yy.zz.64,,,8,0,19458,39174,52,0,0,20,40


11/08-18:04:18.167514 ,ICMP,ICMP Unknown Type,
209.221.176.6,    xx.yy.zz.64,,,8,0,19458,39174,52,0,0,20,40

11/08-18:04:18.168180 ,ICMP,ICMP Unknown Type,
209.221.176.6,255.255.255.255,,,8,0,19458,39430,52,0,0,20,40


11/08-18:05:10.388127 ,ICMP,ICMP Unknown Type,
209.221.176.6,    xx.yy.zz.64,,,8,0,19458,39174,52,0,0,20,40

11/08-18:05:10.388909 ,ICMP,ICMP Unknown Type,
209.221.176.6,255.255.255.255,,,8,0,19458,39430,52,0,0,20,40


 From "tcp/ip Illustrated", vol.1, WR Stevens, p. 86:

"..Unix implementations of ping set the identifier field in the icmp
message to the process ID of the sending process.."

So these packets were all sent by PID 19458, assuming it's *nix, but I'd
bet not, because nmap says:

> 137/tcp    filtered    netbios-ns
> 138/tcp    filtered    netbios-dgm
> 139/tcp    filtered    netbios-ssn
> 445/tcp    filtered    microsoft-ds


although nmap itself can't ID the OS behind 209.221.176.6... hmm..

"..The sequence number starts at 0 and is incremented every time a new
echo request is sent.."

hmm.. We've got two seq's: 39174 and 39430; and the seq's are unchanged
over three pings across the *.255 host, and three across the *.64 host
within the probes on any one day/time. So it's as if - what? - it's as
though each ping is sent out without incrementing the seq... weird..


Can you say "custom implementation?" Read on...


OK: anyway, who is this guy?

Request: 209.221.176.6
connecting to whois.arin.net [192.149.252.22:43] ...

Semaphore Corporation (NETBLK-SEMA-CIDR-1) SEMA-CIDR-1
      209.221.128.0 - 209.221.191.255
5stops (NETBLK-5STOPS-SBLK1) 5STOPS-SBLK1
      209.221.176.0 - 209.221.176.15

Request: NETBLK-5STOPS-SBLK1 at whois.arin.net
connecting to whois.arin.net [192.149.252.22:43] ...
5stops (NETBLK-5STOPS-SBLK1)
    PO Box 77525
    Seattle, WA 98177
    US

    Netname: 5STOPS-SBLK1
    Netblock: 209.221.176.0 - 209.221.176.15

Coordinator:
       Lindvall, Eric  (EL295-ARIN)  eric at 5stops.com
206.579.7668


An http to 209.221.176.6 results in a "connection refused"

hmm..

http to 5stops.com results in:

<html>
<head>
<link REL="SHORTCUT ICON" HREF="/favicon.ico">
<title>
5 s t o p s
</title>
:
<snip>

hmm.. ("favicon.ico" -- smacks of Window$..) and it's Eric Lindvall's
website..


So, wondering what this guy is doing with the rest of his useable IP's,
I start to send http requests to other IP's in his netblock, starting
downward, and lo:

Bingo!


http to 209.22.176.5 results in:

"Current count: 44,998 broken networks.
Average amplification: 4x

Welcome to netscan.org. This site contains a searchable and browsable
list of broadcast ICMP ("smurf") amplifiers."

"Put this database to good use by checking the networks that you use or
administer. In the box below, enter an IP address (e.g., 192.168.4.0) or
ASN (e.g., 1), then press "Check." Queries for ASNs may take up to one
minute to finish.

The script checks the number of times that network broadcast and subnet
addresses (for example, x.y.z.0 and x.y.z.255) reply to a single ICMP
ping. If either number is greater than 1, the network is misconfigured
and its router needs a configuration change.

Note that this data comes from a static database; it is not real-time.
Current amplifiers are rechecked nightly, previous amplifiers are
rechecked monthly, and all routed networks are checked once in a while.
Entries are to /27 boundaries."

* Why & when did you ping all these IPs?

We're a small group of concerned network administrators who got fed up
with being smurfed day after day simply because a few admins aren't
doing their jobs. This site serves to inform and educate "the rest" in
hopes of eliminating this problem in the next few months.

The rescanning is on a rolling schedule so that under most
circumstances, no network goes more than 2 weeks without being
rescanned. The front page is typically updated with the last scan date."



So somebody is pinging you because -- why? -- you're a smurf amplifier
suspect?

Or just because they're on a mission?


Who's *this* guy?

Registrant:
no ip directed-broadcast (NETSCAN3-DOM)
    PO Box 77525
    Seattle, WA 98177-0525
    US

    Domain Name: NETSCAN.ORG

Administrative Contact:
       Davis, Troy  (TD1221)  troy at NACK.NET
       Nack.Net, Inc.
       PO Box 77525
       Seattle, WA 98177-0525
       (206) 683-8769
    Technical Contact:
       Administrator, Nack.Net (AN521-ORG)  hostmaster at NACK.NET
       Nack.Net, Inc.
       PO Box 77525
       Seattle, WA 98177
       US
       (206) 546-5277
    Billing Contact:
       lindvall, eric  (EL2687)  eric at 5STOPS.COM
       tekniq security group
       400 wall street suite 311
       seattle, WA  98121
       US
       206/579.7668 -


And finally:

Registrant:
NACK (NACK5-DOM)
    PO Box 77525
    Seattle, WA 98177-0525
    US

    Domain Name: NACK.NET

Administrative Contact, Billing Contact:
       Davis, Troy  (TD1221)  troy at NACK.NET
       Nack.Net, Inc.
       PO Box 77525
       Seattle, WA 98177-0525
       (206) 683-8769
    Technical Contact:
       lindvall, eric  (EL2687)  eric at 5STOPS.COM
       tekniq security group
       400 wall street suite 311
       seattle, WA  98121
       US
       206/579.7668 -


So anyway, I'd try emailing sysop at netscan.org and ask them WTF...

HTH..

- John



Chan, Stephen (TIS, Singapore) wrote:

> Hi, this traffic pattern has me stumped. The attached file is a snort log
> collected over a couple of weeks. It's in CSV format so you can import
into
> Excel with no problems.
>
> xx.yy.zz.64 is my host
> 209.221.176.6 is the strange box
>
> two things confound me: the broadcast 255.255.255.255 destination address
> and the repeating sequence numbers.
>
> Would appreciate any sort of insight into this.
>
> Thanks
>
> Stephen Chan
>
>
>  <<traffic.csv>>
>



--__--__--

Message: 2
Date: Sun, 11 Nov 2001 18:32:56 -0800
From: John Sage <jsage at finchhaven.com>
Organization: FinchHaven
To: "Chan, Stephen (TIS, Singapore)" <stephen_chan at sg.ml.com>
CC: "'dshield at dshield.org'" <dshield at dshield.org>
Subject: Re: [Dshield] Unusual snort traffic
Reply-To: dshield at dshield.org

Stephen:

<blush>
It was total luck...
</blush>

Actually there have been a few time when I've tried IP addresses
adjacent to a suspect IP that, as in this case, responds with a
"connection refused".

In this case I was intrigued by the fact that he (Eric Lindvall) had
only 209.221.176.0 - 209.221.176.15 assiged to him, so when you take out
the network and broadcast IP's he's got - what? - 14 to work with?

It wouldn't have taken long to plug each of 'em into a web browser
one-by-one and see what popped up; I went downward first and *bingo*

If you contact netscan.org it'd be interesting to hear what they have to
say...

- John



Chan, Stephen (TIS, Singapore) wrote:

> Holy Netscans Batman! That is a mighty fine piece of investigative legwork.
> *Hats off*
> Thanks for the detailed followup John :-) I did conduct my own digging
> around, but got nowhere as detailed as you got.
>
> I doubt if my network is a 'smurf amplifier' but might be a good idea to run
> the netscan on myself...
>
>
> Thanks again
>
>
> -----Original Message-----
> From: John Sage [mailto:jsage at finchhaven.com]
> Sent: Sunday, November 11, 2001 12:28 PM
> To: dshield at dshield.org
> Cc: stephen_chan at sg.ml.com
> Subject: Re: [Dshield] Unusual snort traffic
>
>
> Stephen:
>
> <long, but maybe worth it...>


<snip>



--__--__--

_______________________________________________
Dshield mailing list
Dshield at dshield.org
http://www1.dshield.org/mailman/listinfo/dshield


End of Dshield Digest










More information about the list mailing list