[Dshield] Possible variant of Blaster/Nachi/Welchia?

Jeff Kell jeff-kell at utc.edu
Fri Sep 26 17:24:12 GMT 2003


Deb Hale wrote:

> http://www.xsecurity.ws/books/Building-Internet-Firewalls/ch08_13.html
> 
> 
> According to this write up - port 123 is used for network time protocol.  It
> shows a 123 to 123 as a Query or response between two servers.  My question
> is, is your network syncing with the spoofed IP and if it is, why?  

The infected machines are trying to sync with a spoofed address, then 
they start pinging randomly and slowly to random addresses within the 
same first octet.  Here's a complete sample:

> Sep 26 12:46:00.779 EDT: %SEC-6-IPACCESSLOGP: list netcop denied udp 172.155.144.218(123) -> 207.46.130.100(123), 1 packet
> Sep 26 12:46:39.160 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.132.114.112 (0/0), 1 packet
> Sep 26 12:47:34.285 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.162.138.194 (0/0), 1 packet
> Sep 26 12:47:44.345 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.156.165.167 (0/0), 1 packet
> Sep 26 12:48:30.378 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.157.126.115 (0/0), 1 packet
> Sep 26 12:48:37.930 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.157.98.253 (0/0), 1 packet
> Sep 26 12:49:54.944 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.153.205.223 (0/0), 1 packet
> Sep 26 12:51:40.262 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.203.128.195 (0/0), 1 packet
> Sep 26 12:52:52.283 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.157.135.71 (0/0), 1 packet
> Sep 26 12:53:43.748 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.158.89.195 (0/0), 1 packet
> Sep 26 12:54:13.885 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.156.18.248 (0/0), 1 packet
> Sep 26 12:55:12.830 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.158.109.44 (0/0), 1 packet
> Sep 26 12:58:02.602 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.154.168.139 (0/0), 1 packet
> Sep 26 12:58:12.202 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.157.29.197 (0/0), 1 packet
> Sep 26 12:59:34.763 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.156.229.95 (0/0), 1 packet
> Sep 26 13:01:39.062 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.153.42.62 (0/0), 1 packet

MAC addresses removed for brevity, but they are the same incoming MAC 
and interface, and the actual machine IP address was 172.18.113.112.

All I've been able to do thus far is shut down ports.  I haven't gotten 
my hands on an infected one yet for forensics, but we're up to a couple 
dozen infected ones.  There are likely more on campus, but our routers 
are configured for 'ip unicast reverse-path verify' and spoofed packets 
would be dropped silently.  These came from a 3550 (which due to a bug 
does not do uRPF) where we had to ACL the ingress to catch spoofs.

Jeff





More information about the list mailing list