[Dshield] Proxy attackers/hijackers

Jeff Kell jeff-kell at utc.edu
Fri Oct 17 03:31:12 GMT 2003


We had an attempted proxy rape today on a trojanned dorm machine.  No 
mail escaped thanks to firewalling but I did track down the culprits and 
the compromised ports (which appear random, they changed when the 
machine was rebooted).  Do not have the machine (yet) for forensics to 
see what infected it, but it was providing two proxy ports on random 
ports that change when the machine is rebooted (apparently, given the 
time difference between the pairs of proxy ports below).

Inside IP is munged into private address, but the sources of the 
incoming proxy connections are real.  The format is:

victim-IP:source-IP <connection count> <bytes>

The <bytes> count is low since the proxy fails after the SYN times out.
For the most part, these aren't individual attacks, it is a battery of 
hosts in the same netblock.  Here is the hit-list and the ports they 
attacked on:

 > [jeff at netsyslog jeff]$ grep 172\.16\.16\.16 utcpix.log|./proxysum 7512
 > 172.16.16.16:66.111.39.210 104 items 0 bytes
 > 172.16.16.16:*** total *** 104 items 0 bytes
 >
 > [jeff at netsyslog jeff]$ grep 172\.16\.16\.16 utcpix.log|./proxysum 9257
 > 172.16.16.16:66.111.39.210 40 items 0 bytes
 > 172.16.16.16:*** total *** 40 items 0 bytes
 >
 >
 > [jeff at netsyslog jeff]$ grep 172\.16\.16\.16 utcpix.log|./proxysum 9813
 > 172.16.16.16:203.98.189.84 3 items 45 bytes
 > 172.16.16.16:207.218.0.155 1035 items 7470 bytes 
155.0.218.207.in-addr.arpa
 > 172.16.16.16:213.129.172.88 7 items 85 bytes 
213-129-172-88.DialUp.tiscali.es
 > 172.16.16.16:24.163.39.18 7 items 96 bytes rdu163-39-018.nc.rr.com
 > 172.16.16.16:38.117.18.131 8 items 0 bytes
 > 172.16.16.16:66.111.39.210 114 items 1460 bytes
 > 172.16.16.16:66.111.49.120 130 items 700 bytes
 > 172.16.16.16:66.250.55.115 788 items 5916 bytes
 > 172.16.16.16:66.250.55.116 40 items 518 bytes
 > 172.16.16.16:66.250.55.117 32 items 192 bytes
 > 172.16.16.16:66.250.55.118 219 items 1366 bytes
 > 172.16.16.16:66.250.55.119 1761 items 7520 bytes
 > 172.16.16.16:66.250.55.120 87 items 978 bytes
 > 172.16.16.16:66.250.55.121 568 items 5754 bytes
 > 172.16.16.16:66.250.55.122 70 items 142 bytes
 > 172.16.16.16:66.28.209.100 327 items 1394 bytes
 > 172.16.16.16:66.28.209.101 253 items 2424 bytes
 > 172.16.16.16:66.28.209.102 245 items 960 bytes
 > 172.16.16.16:66.28.209.105 390 items 1834 bytes
 > 172.16.16.16:66.28.209.106 1558 items 1100 bytes
 > 172.16.16.16:66.28.209.107 826 items 8650 bytes
 > 172.16.16.16:66.28.209.109 11 items 114 bytes
 > 172.16.16.16:66.28.209.11 54 items 584 bytes
 > 172.16.16.16:66.28.209.110 900 items 6430 bytes
 > 172.16.16.16:66.28.209.98 489 items 3464 bytes
 > 172.16.16.16:66.28.209.99 442 items 4052 bytes
 > 172.16.16.16:66.28.233.165 16 items 316 bytes
 > 172.16.16.16:69.1.65.186 200 items 2064 bytes
 > 172.16.16.16:69.1.65.187 303 items 1972 bytes
 > 172.16.16.16:69.1.65.188 276 items 4266 bytes
 > 172.16.16.16:69.1.65.189 538 items 3648 bytes
 > 172.16.16.16:*** total *** 11697 items 75514 bytes
 >
 > [jeff at netsyslog jeff]$ grep 172\.16\.16\.16 utcpix.log|./proxysum 6394
 > 172.16.16.16:195.24.138.125 4 items 0 bytes
 > 172.16.16.16:209.61.131.147 2 items 0 bytes
 > 172.16.16.16:216.64.225.99 415 items 4641 bytes
 > 172.16.16.16:65.110.36.10 418 items 5052 bytes unknown.sagonet.net
 > 172.16.16.16:65.110.36.40 428 items 5554 bytes unknown.sagonet.net
 > 172.16.16.16:65.110.36.50 291 items 4549 bytes unknown.sagonet.net
 > 172.16.16.16:65.110.41.180 421 items 5462 bytes unknown.sagonet.net
 > 172.16.16.16:65.110.41.190 425 items 5270 bytes unknown.sagonet.net
 > 172.16.16.16:65.110.41.200 414 items 5496 bytes unknown.sagonet.net
 > 172.16.16.16:66.111.33.70 21 items 658 bytes www.celebsmoking.com
 > 172.16.16.16:66.111.39.210 99 items 2909 bytes
 > 172.16.16.16:66.111.49.120 78 items 2815 bytes





More information about the list mailing list