[Dshield] XBOX virus?

KIAH kiah at inmfys.com
Mon Jun 14 15:14:07 GMT 2004


Willing to bet the employee has put linux on his xbox.  Then once the
employee was connect they tried to connect to an irc server to check the
connection.

http://www.xbox-linux.org/docs/support.html

~Jeff
----- Original Message ----- 
From: <TRushing at hollandco.com>
To: <list at lists.dshield.org>
Sent: Monday, June 14, 2004 06:01
Subject: [Dshield] XBOX virus?


> Had an odd series of events in our firewall today.  It was a machine that
> had grabbed a dhcp address and was trying to contact irc channels.  Looked
> like a classic virus infected machine calling home.  It was only online
> for 12 minutes and just after I did an nmap, it dropped off.  I don't
> necessarily think those two were related.  Instead, I think it was someone
> who had dialed in to our corporate network.
>
> What struck me as odd is that I think it may have been an X-BOX.  I don't
> play games and have never played with one of these boxes.  However, when I
> did an nbtstat here is what I got:
>
> $ nbtstat -A 192.168.1.49
>
> Local Area Connection:
> Node IpAddress: [192.168.1.243] Scope Id: []
>
>            NetBIOS Remote Machine Name Table
>
>        Name               Type         Status
>     ---------------------------------------------
>     HOSTXXXXX      <00>  UNIQUE      Registered
>     HOSTXXXXX      <20>  UNIQUE      Registered
>     XBOXHOME       <00>  GROUP       Registered
>     XBOXHOME       <1E>  GROUP       Registered
>
>     MAC Address = 44-45-53-54-42-00
>
> Note:  HOSTXXXXX above was actually something besides HOSTXXXXX.  The
> letters in the place of XXXXX formed an English word but could also be the
> first initial + first 4 letters of the last name of an employee we have,
> so I obfuscated them.
>
> 44-45-53 is an MS hardware MAC address, based on what I could find online.
>
> Here is the result of my initial nmap run:
>
> [root at hol-webInt root]# nmap -PT80 -vv -sT -sU -O 192.168.1.49
>
> Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> Host hostspark.hollandco.com (192.168.1.49) appears to be up ... good.
> Initiating Connect() Scan against hostspark.hollandco.com (192.168.1.49)
> Adding open port 1025/tcp
> Adding open port 5000/tcp
> Adding open port 139/tcp
> Adding open port 135/tcp
> The Connect() Scan took 22 seconds to scan 1601 ports.
> Initiating UDP Scan against hostspark.hollandco.com (192.168.1.49)
> The UDP Scan took 72 seconds to scan 1468 ports.
> Adding open port 123/udp
> Adding open port 1900/udp
> Adding open port 1646/udp
> Adding open port 1812/udp
> Adding open port 137/udp
> Adding open port 1645/udp
> Adding open port 1813/udp
> Adding open port 138/udp
> Adding open port 500/udp
> For OSScan assuming that port 135 is open and port 1 is closed and neither
> are firewalled
> Interesting ports on hostspark.hollandco.com (192.168.1.49):
> (The 3056 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 123/udp    open        ntp
> 135/tcp    open        loc-srv
> 137/udp    open        netbios-ns
> 138/udp    open        netbios-dgm
> 139/tcp    open        netbios-ssn
> 500/udp    open        isakmp
> 1025/tcp   open        NFS-or-IIS
> 1645/udp   open        radius
> 1646/udp   open        radacct
> 1812/udp   open        radius
> 1813/udp   open        radacct
> 1900/udp   open        UPnP
> 5000/tcp   open        UPnP
> Remote operating system guess: MS Windows2000 Professional RC1/W2K Advance
> Server Beta3
> OS Fingerprint:
> TSeq(Class=RI%gcd=1%SI=49664%TS=0)
> T1(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
> T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
> T3(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
> T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
> T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
> T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
> T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
>
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
>
> TCP Sequence Prediction: Class=random positive increments
>                          Difficulty=300644 (Good luck!)
> TCP ISN Seq. Numbers: A17F21EF A19DA691 A1BB5E41 A1D56869 A1E70662
> A201F222
> IPID Sequence Generation: Busy server or unknown class
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 106 seconds
>
> The -PT80 option was there because I had yesterday scanned something on
> the internal network that was not responding to pings.  I can't say if
> this device was ignoring pings or not because by the time I tried, it was
> offline.
>
> I did a google search for XBOX IRC and VIRUS, but all I found were
> mentions of irc channels to get XBOX games etc. . .
>
> I am assuming that XBOX machines can be infected by viruses.  I also
> wonder whether XBOX machines can have OS patches applied.  Can anyone
> point me to any pages that might discuss viruses and XBOXEN?   Also, does
> anyone know whether my HOSTXXXXX guess above as to the naming convention
> is correct?
>
> For what it is worth, here are the ip addresses that this machine tried to
> contact during the 12 minutes it was on our network:
>
> 193.19.227.66
> 193.23.224.5
> 194.146.225.142
> 195.140.143.37
> 195.225.204.134
> 207.36.180.241
> 207.36.196.16
> 209.133.93.32
> 38.114.4.37
> 64.124.166.200
> 65.110.15.232
> 65.110.45.79
> 65.110.63.209
> 66.36.249.108
> 69.0.197.152
> 69.61.45.150
> 69.64.34.191
>
> My suspicion is that this was one of our home users who dialed in to our
> network and has a home network with an XBOX on it.
>
>          ---Tim Rushing
>              The Holland Company
>
> _______________________________________________
> list mailing list
> list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list