[Dshield] port 1026-1031 update

Rodrigues, Philip phil.rodrigues at uconn.edu
Tue Dec 2 20:04:52 GMT 2003


On Tue, 2003-12-02 at 06:13, Chris Brenton wrote:
> Translation: "ye ha, you may have had multiple hosts that have been
> compromised" ;-p

Yeah, that's never happened before... :-)

We had four hosts scan for this by the end of last night - all starting
after 1600 EST.  The incoming scans I previously described ramped up
until midnight local, when they peaked then backed off.  Our hosts all
stopped scanning at midnight local.  My guess is that the external hosts
also stopped at midnight local to them, which would appear as a gradual
back-off of incoming scans to us.

Looking over the audit logs today I noticed three of the four hosts
visited the exact same two websites right before they started scanning. 
These sites were:

66.225.219.162 unknown.servercentral.net
824 byte http, then about 1.3 MB http

216.58.174.211 nt11.nshosts.com
746 byte http miliseconds after the first page

One minute after they hit the second page the outbound connections to
1026/1030 start.  All with "normal" source ports (increasing from where
the last source port left off), and all with "00 00" in the payload.  A
few packets from one hosts are attached.

When a number of compromised hosts all connect to the same (non-AOL,
etc) website before they start behaving oddly, my guess of late is they
were exploited through an unpatched IE vulnerability.  We have put our
hands on one host briefly and confirmed it was well out of date on a
number of patches.  We may even find the app that kicked this off.

Here are the IPAudit logs from one host.  The columns are local IP,
remote IP, protocol, local port, remote port, in bytes, out bytes, time
started:

137.099.137.214 066.225.219.162 6 1485 80 88472 4249 17:27:21.5791
137.099.137.214 066.225.219.162 6 1486 80 15401 1203 17:27:27.9025
137.099.137.214 066.225.219.162 6 1489 80 4802 1159 17:28:16.9154
137.099.137.214 066.225.219.162 6 1490 80 1331056 25025 17:28:41.2205 
137.099.137.214 066.225.219.162 6 1491 80 824 408 17:29:20.3522
137.099.137.214 216.058.174.211 6 1492 80 746 410 17:29:20.4347
(snip one min)
137.099.137.214 081.182.176.079 17 1528 1026 0 44 17:30:20.0967
137.099.137.214 081.182.176.079 17 1529 1030 0 44 17:30:20.0979 
137.099.137.214 193.150.160.222 17 1528 1026 0 44 17:30:20.1787 
137.099.137.214 193.150.160.222 17 1529 1030 0 44 17:30:20.1790 
(these scans continue until midnight local)

I would agree that this was Windows Messenger spam, but they do not
appear to contain any ability to send a message.  They just tickle the
port and don't appear to connect.

The external scans seem to have dropped off to lower but steady level,
about 600 unique external IPs per hour for most of today.

Phil
-- 

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================



More information about the list mailing list