[Dshield] port 1026-1031 update

John Sage jsage at finchhaven.com
Tue Dec 2 23:27:52 GMT 2003


Philip:

Currently the two IP addresses you've posted seem to not be running
fully-developed web sites; see below..

On Tue, Dec 02, 2003 at 03:04:52PM -0500, Rodrigues, Philip wrote:
> Subject: RE: [Dshield] port 1026-1031 update
> From: "Rodrigues, Philip" <phil.rodrigues at uconn.edu>
> To: General DShield Discussion List <list at dshield.org>
> Date: Tue, 02 Dec 2003 15:04:52 -0500
> Old-X-Envelope-To: list at dshield.org
> Cc: security at uconn.edu, noxsec-l at lists.umass.edu
> 
> On Tue, 2003-12-02 at 06:13, Chris Brenton wrote:
> > Translation: "ye ha, you may have had multiple hosts that have been
> > compromised" ;-p
> 
> Yeah, that's never happened before... :-)
> 
> We had four hosts scan for this by the end of last night - all starting
> after 1600 EST.  The incoming scans I previously described ramped up
> until midnight local, when they peaked then backed off.  Our hosts all
> stopped scanning at midnight local.  My guess is that the external hosts
> also stopped at midnight local to them, which would appear as a gradual
> back-off of incoming scans to us.
> 
> Looking over the audit logs today I noticed three of the four hosts
> visited the exact same two websites right before they started scanning. 
> These sites were:
> 
> 66.225.219.162 unknown.servercentral.net
> 824 byte http, then about 1.3 MB http
> 
> 216.58.174.211 nt11.nshosts.com
> 746 byte http miliseconds after the first page

At least right now, lynx http://66.225.219.162/ returns, through snort:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/02-14:20:10.980098 192.168.1.6:47280 -> 66.225.219.162:80
TCP TTL:64 TOS:0x0 ID:57836 IpLen:20 DgmLen:60 DF
******S* Seq: 0x71C5E1F1  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 112590877 0 NOP WS: 0 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/02-14:20:11.848959 66.225.219.162:80 -> 192.168.1.6:47280
TCP TTL:51 TOS:0x0 ID:0 IpLen:20 DgmLen:44 DF
***A**S* Seq: 0x7A81701A  Ack: 0x71C5E1F2  Win: 0x16D0  TcpLen: 24
TCP Options (1) => MSS: 1460 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/02-14:20:11.849038 192.168.1.6:47280 -> 66.225.219.162:80
TCP TTL:64 TOS:0x0 ID:57837 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x71C5E1F2  Ack: 0x7A81701B  Win: 0x16D0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/02-14:20:12.547592 192.168.1.6:47280 -> 66.225.219.162:80
TCP TTL:64 TOS:0x0 ID:57838 IpLen:20 DgmLen:357 DF
***AP*** Seq: 0x71C5E1F2  Ack: 0x7A81701B  Win: 0x16D0  TcpLen: 20
47 45 54 20 2F 20 48 54 54 50 2F 31 2E 30 0D 0A  GET / HTTP/1.0..
48 6F 73 74 3A 20 36 36 2E 32 32 35 2E 32 31 39  Host: 66.225.219
2E 31 36 32 0D 0A 41 63 63 65 70 74 3A 20 74 65  .162..Accept: te
78 74 2F 68 74 6D 6C 2C 20 74 65 78 74 2F 70 6C  xt/html, text/pl
61 69 6E 2C 20 74 65 78 74 2F 73 67 6D 6C 2C 20  ain, text/sgml, 
76 69 64 65 6F 2F 6D 70 65 67 2C 20 69 6D 61 67  video/mpeg, imag
65 2F 6A 70 65 67 2C 20 69 6D 61 67 65 2F 74 69  e/jpeg, image/ti
66 66 2C 20 69 6D 61 67 65 2F 78 2D 72 67 62 2C  ff, image/x-rgb,
20 69 6D 61 67 65 2F 70 6E 67 2C 20 69 6D 61 67   image/png, imag
65 2F 78 2D 78 62 69 74 6D 61 70 2C 20 69 6D 61  e/x-xbitmap, ima
67 65 2F 78 2D 78 62 6D 2C 20 69 6D 61 67 65 2F  ge/x-xbm, image/
67 69 66 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E  gif, application
2F 70 6F 73 74 73 63 72 69 70 74 2C 20 2A 2F 2A  /postscript, */*
3B 71 3D 30 2E 30 31 0D 0A 41 63 63 65 70 74 2D  ;q=0.01..Accept-
45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70 2C 20  Encoding: gzip, 
63 6F 6D 70 72 65 73 73 0D 0A 41 63 63 65 70 74  compress..Accept
2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 0D 0A 55  -Language: en..U
73 65 72 2D 41 67 65 6E 74 3A 20 4C 79 6E 78 2F  ser-Agent: Lynx/
32 2E 38 2E 34 72 65 6C 2E 31 20 6C 69 62 77 77  2.8.4rel.1 libww
77 2D 46 4D 2F 32 2E 31 34 0D 0A 0D 0A           w-FM/2.14....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/02-14:20:12.808850 66.225.219.162:80 -> 192.168.1.6:47280
TCP TTL:51 TOS:0x0 ID:41763 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x7A81701B  Ack: 0x71C5E32F  Win: 0x1920  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/02-14:20:13.250092 66.225.219.162:80 -> 192.168.1.6:47280
TCP TTL:51 TOS:0x0 ID:41764 IpLen:20 DgmLen:1319 DF
***AP*** Seq: 0x7A81701B  Ack: 0x71C5E32F  Win: 0x1920  TcpLen: 20
48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D  HTTP/1.1 200 OK.
0A 44 61 74 65 3A 20 54 75 65 2C 20 30 32 20 44  .Date: Tue, 02 D
65 63 20 32 30 30 33 20 32 32 3A 32 30 3A 30 34  ec 2003 22:20:04
20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70   GMT..Server: Ap
61 63 68 65 2F 31 2E 33 2E 32 39 20 28 55 6E 69  ache/1.3.29 (Uni
78 29 20 6D 6F 64 5F 6A 6B 32 2F 32 2E 30 2E 30  x) mod_jk2/2.0.0
20 50 48 50 2F 34 2E 33 2E 34 20 6D 6F 64 5F 61   PHP/4.3.4 mod_a
75 74 68 5F 70 61 73 73 74 68 72 6F 75 67 68 2F  uth_passthrough/
31 2E 38 20 6D 6F 64 5F 67 7A 69 70 2F 31 2E 33  1.8 mod_gzip/1.3
2E 32 36 2E 31 61 20 6D 6F 64 5F 6C 6F 67 5F 62  .26.1a mod_log_b
79 74 65 73 2F 31 2E 32 20 6D 6F 64 5F 62 77 6C  ytes/1.2 mod_bwl
69 6D 69 74 65 64 2F 31 2E 34 20 46 72 6F 6E 74  imited/1.4 Front
50 61 67 65 2F 35 2E 30 2E 32 2E 32 36 33 34 20  Page/5.0.2.2634 
6D 6F 64 5F 73 73 6C 2F 32 2E 38 2E 31 36 20 4F  mod_ssl/2.8.16 O
70 65 6E 53 53 4C 2F 30 2E 39 2E 36 62 0D 0A 4C  penSSL/0.9.6b..L
61 73 74 2D 4D 6F 64 69 66 69 65 64 3A 20 46 72  ast-Modified: Fr
69 2C 20 31 30 20 4F 63 74 20 32 30 30 33 20 30  i, 10 Oct 2003 0
38 3A 31 38 3A 35 31 20 47 4D 54 0D 0A 45 54 61  8:18:51 GMT..ETa
67 3A 20 22 37 34 38 31 31 30 2D 39 31 64 2D 33  g: "748110-91d-3
66 38 36 36 62 36 62 22 0D 0A 41 63 63 65 70 74  f866b6b"..Accept
2D 52 61 6E 67 65 73 3A 20 62 79 74 65 73 0D 0A  -Ranges: bytes..
43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73  Connection: clos
65 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A  e..Content-Type:
20 74 65 78 74 2F 68 74 6D 6C 0D 0A 43 6F 6E 74   text/html..Cont
65 6E 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A  ent-Encoding: gz
69 70 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67  ip..Content-Leng
74 68 3A 20 38 35 32 0D 0A 0D 0A 1F 8B 08 00 00  th: 852.........
00 00 00 00 03 BD 56 6D 6F DB 38 0C FE DC FC 0A  ......Vmo.8.....
4D 40 80 1B 10 C7 4E DA AE D9 66 1B E8 75 C1 9A  M at ....N...f..u..
A1 6F 6B DD 0D F7 A9 90 6D C6 16 E6 48 86 A4 D4  .ok.....m...H...
CB 86 FB EF 47 F9 AD 0D BA EB 75 5B 71 1F 0C 93  ....G.....u[q...
22 CD 87 A4 1F D2 F6 8F A3 D3 93 70 E0 1F CF 0F  "..........p....
DF E1 2D 5A 44 27 F3 30 B9 60 02 0A DF 6D B4 81  ..-ZD'.0.`...m..
5F 70 F1 85 E4 0A 96 01 D5 1B 7D 93 94 D6 EC 26  _p........}....&
5A BB DA 6C 0A 18 A3 44 89 82 02 CD 56 D7 39 80  Z..l...D....V.9.
A1 C4 6C 4A 08 A8 81 AF C6 BA 52 8C 73 3A 8F 0E  ..lJ......R.s:..
C9 71 14 5D 38 F3 8F D7 8B 4F 01 3D 92 C2 80 30  .q.]8....O.=...0
4E 84 AE 94 1C 9D 9F 45 F3 B3 A8 7D 26 37 AB E2  N......E...}&7..
2D 49 72 A6 34 98 80 6B E9 CC 66 FB AF 9D 89 0D  -Ir.4..k..f.....
E4 36 E9 0E FC AB A3 CB C5 45 44 4E 0E CF DE 5F  .6.......EDN..._
1F BE 9F 93 80 D0 0F EC 96 5D 25 8A 97 C6 7A BE  .........]%...z.
70 9C C1 72 2D 12 C3 A5 20 B2 04 F1 99 8B 3F AE  p..r-... .....?.
2F 4F 5E 92 EF 03 86 72 2A AB A0 AA 6F 63 6B B5  /O^....r*...ock.
A6 11 A5 23 AA 13 25 8B 22 46 F0 60 03 7A A4 40  ...#..%."F.`.z.@
F3 6F 2C 2E A0 D6 96 EB A2 40 07 00 11 08 39 32  .o,...... at ....92
52 5A 47 2B 6A C3 CC 5A 5B 69 05 62 DD 1E A6 5C  RZG+j..Z[i.b...\
41 62 A4 E2 50 5B 0A 99 30 9B 8D 95 73 E0 59 6E  Ab..P[..0...s.Yn
82 7D CF 1B 55 3C 35 79 30 43 A9 80 A5 09 A6 28  .}..U<5y0C.....(
18 59 06 13 CF A3 2F DF 0E FE 1E B8 2E 71 1C 5B  .Y..../......q.[
7A 53 B2 2D FE CF F3 77 7F 11 EB BD 62 2A E3 22  zS.-...w....b*."
A0 1E 36 5D 96 F7 B4 46 6C 42 DF E9 2D 2A 1E 60  ..6]...FlB..-*.`
3C 63 AB 22 AD 0B A2 0D 29 89 A5 4A 41 D5 0F 24  <c."....)..JA..$
80 95 96 2C E1 22 EB F5 92 A5 69 AB 87 03 42 7C  ...,."....i...B|
A3 C8 2D 2B 78 86 90 88 4E 43 82 87 F6 38 25 1D  ..-+x...NC...8%.
D0 C1 3E 25 42 56 8A 95 AD D1 9A 7F 17 B7 8B A3  ..>%BV..........
FA 98 1D 6C 1F 74 48 43 9F B5 C4 CD 8D 29 DF B8  ...l.tHC.....)..
6E 55 55 E3 86 BF 63 81 24 0D 7D BE CA 88 56 C9  nUU...c.$.}...V.
16 B3 F9 8A 65 A0 5D A4 05 7C BD F1 26 E3 8C 2F  ....e.]..|..&../
69 1F 75 FA 8A F6 85 ED A1 CC 0A 14 9A 89 E9 4B  i.u............K
F0 42 DF 65 78 99 34 FC 71 6E D3 83 E1 93 B0 A7  .B.ex.4.qn......
5B D8 BB 7B BB 5B D8 8F 21 4C 6C 43 59 F2 25 53  [..{.[..!LlCY.%S
72 2D D2 47 20 F6 6A 88 A7 24 B3 B7 95 CC 4F E4  r-.G .j..$....O.
F2 6A 3A B4 7D AA 29 A2 EC 13 CF 9E DA EE F6 3B  .j:.}.)........;
DA 9D 3D 96 1B 6A AA D3 50 B6 44 6C D4 CE AD 73  ..=..j..P.Dl...s
F0 5B 3F DF 1E FB 09 6E 2A C0 03 7F 89 5B 8B 24  .[?....n*....[.$
05 D3 3A A0 B7 A0 36 31 CF A4 62 22 83 58 16 29  ..:...61..b".X.)
72 73 27 CA 41 01 E1 1A 49 4F 2A 88 35 37 40 12  rs'.A...IO*.57 at .
29 96 3C 5B 2B 48 09 33 C4 E4 68 45 3E E3 5E D1  ).<[+H.3..hE>.^.
E3 1D 9C 6A 1B D3 4E 77 0F 12 AB D0 5E DB 03 6A  ...j..Nw....^..j
E7 C4 1E E1 F9 CE 5D 7F F7 BD 61 DB DD F6 E9 FB  ......]...a.....
19 62 72 76 7D DF 0D 82 DB 36 90 F6 6B DE 32 B5  .brv}....6..k.2.
C6 6F EA FF F5 C8 55 BE C2 B0 9F 21 26 C7 52 1B  .o....U....!&.R.
72 CA 04 BE 23 F5 00 A0 69 EF 76 E7 BB 72 FF E5  r...#...i.v..r..
2D 3C DC 29 13 8F 3E D3 32 F9 0F 2E C6 71 D6 D0  -<.)..>.2....q..
F0 FE CE E9 D8 DC B4 85 3E 58 41 4F 0C F9 18 B3  ........>XAO....
3B A7 BE AC 83 D7 77 A4 9E 4E 7F 3C 70 CF 81 2B  ;.....w..N.<p..+
8D 91 AB 9B 82 C5 B8 23 B7 B6 CF 6C FA FF 24 F0  .......#...l..$.
73 85 3F 71 9A 7B 93 FD 25 70 C8 E5 FC D3 E2 6A  s.?q.{..%p.....j
71 7E F6 86 4C C6 DE D8 C3 6F 6B FD 71 B5 9F D4  q~..L....ok.q...
FA FF A2 FE 2B FA 07 53 A4 E8 C4 1D 09 00 00     ....+..S.......

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/02-14:20:13.250211 192.168.1.6:47280 -> 66.225.219.162:80
TCP TTL:64 TOS:0x0 ID:57839 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x71C5E32F  Ack: 0x7A81751A  Win: 0x1DFA  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/02-14:20:13.258878 66.225.219.162:80 -> 192.168.1.6:47280
TCP TTL:51 TOS:0x0 ID:41765 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x7A81751A  Ack: 0x71C5E32F  Win: 0x1920  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/02-14:20:13.298039 192.168.1.6:47280 -> 66.225.219.162:80
TCP TTL:64 TOS:0x0 ID:57840 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x71C5E32F  Ack: 0x7A81751B  Win: 0x1DFA  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/02-14:20:13.776863 192.168.1.6:47280 -> 66.225.219.162:80
TCP TTL:64 TOS:0x0 ID:57841 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x71C5E32F  Ack: 0x7A81751B  Win: 0x1DFA  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/02-14:20:13.948966 66.225.219.162:80 -> 192.168.1.6:47280
TCP TTL:51 TOS:0x0 ID:41766 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x7A81751B  Ack: 0x71C5E330  Win: 0x1920  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Run time for packet processing was 0.1958 seconds

===============================================================================

Snort processed 11 packets.
Breakdown by protocol:                Action Stats:

    TCP: 11         (100.000%)         ALERTS: 0         
===============================================================================


Even after unzipping the Content-Encoded gzip packet contents, the
results seem benign:

<HTML>
<HEAD>
<TITLE>cPanel</TITLE>
<link href="sys_cpanel/css/style.css" rel="stylesheet" type="text/css">
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
</HEAD>

<SCRIPT LANGUAGE = "JavaScript">
<!--
function openWin(URL) {
aWindow=window.open(URL,"","scrollbars=yes,resizable=yes,fullscreen=no,toolbar=no,status=no,menubar=no,directories=no,location=no,height=500,width=800,left=200,top=100");
}
// -->
</SCRIPT>

<BODY leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr valign="top"> 
<td height="75" nowrap> 
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr> 
<td width="10%"><a href="http://www.cpanel.net"><img src="sys_cpanel/images/index_01.gif" width="126" height="46" alt="cPanel" border=0></a></td>
<td width="27%"><img src="sys_cpanel/images/index_02.gif" width="343" height="46"></td>
<td width="1%" background="sys_cpanel/images/index_04.gif"><img src="sys_cpanel/images/index_04.gif" width="43" height="46"></td>
<td width="62%" align="right" background="sys_cpanel/images/index_04.gif"><img src="sys_cpanel/images/index_03.gif" width="138" height="46"></td>
</tr>
</table>
</td>
</tr>
<tr>
 <td>

<center>
<font class="verybigorangebold">
	There is no website configured at this address.	
</font>
</center>

<br><br>
<table width=100%>
<tr>
	<td width=50% align=center><font class=biglink><a href="/cpanel/">cPanel</a></font></td>
	<td width=50% align=center><font class=biglink><a href="/whm/">Web Host Manager</a></font></td>
</tr>
</table>
<br><br>
 </td>
</tr>
<tr> 
<td height="10"> 
<table width="100%" border="0" cellspacing="0" cellpadding="0" background="sys_cpanel/images/bbg.gif">
<tr align="center"> 
<td background="sys_cpanel/images/bbg.gif"><img src="sys_cpanel/images/bbg.gif" width="179" height="22"></td>
<td background="sys_cpanel/images/bbg.gif"><img src="sys_cpanel/images/bottom_label.gif" width="382" height="22"></td>
<td background="sys_cpanel/images/bbg.gif"><img src="sys_cpanel/images/bbg.gif" width="179" height="22"></td>
</tr>
</table>
</td>
</tr>
</table>
<!--- REVISION: 1.0.0 --->
</BODY>
</HTML>



The other site is even less "there":

[jsage at sparky /storage/virii/popup] $ lynx -source http://nt11.nshosts.com/

<h1>Domain Innaccessable</H1>This domain has been suspended or does
not exist on this server, please contact your hosting provider.




- John
-- 
"Most people don't type their own logfiles; but, what do I care?"
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.




More information about the list mailing list