[Dshield] Re: Proxy attackers/hijackers

Joe Stewart jstewart at lurhq.com
Fri Oct 17 14:15:37 GMT 2003


On Thursday 16 October 2003 11:31 pm, Jeff Kell wrote:
> We had an attempted proxy rape today on a trojanned dorm machine.  No
> mail escaped thanks to firewalling but I did track down the culprits
> and the compromised ports (which appear random, they changed when the
> machine was rebooted).  Do not have the machine (yet) for forensics
> to see what infected it, but it was providing two proxy ports on
> random ports that change when the machine is rebooted (apparently,
> given the time difference between the pairs of proxy ports below).

If the two proxy ports start at a random port but themselves are 
sequential, it could be the Autoproxy trojan. A rash of these was 
installed yesterday by a second mass-hack of a large webhosting 
provider. Autoproxy can be detected when it attempts to make outbound 
HTTP control connections (one is to a CGI script where it reports its 
port numbers and stats, the other is to an uninvolved third-party 
website for connectivity checking). In these connections it sets its 
User-Agent header to "Autoproxy/0.2". The snort signature below will 
catch these connections leaving your network and let you know if you 
have any infected hosts. 

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Autoproxy Trojan 
control connection"; flags:A+; content: "|0d 0a 55 73 65 72 2d 41 67 65 
6e 74 3a 20 41 75 74 6f 70 72 6f 78 79 2f|"; 
reference:url,www.lurhq.com/autoproxy.html; classtype:trojan-activity; 
sid:1000028;  rev:1;)

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/




More information about the list mailing list