[andy@umbc.edu: Re: [unisog] Anyone recognize what this one is? ]

Peter Van Epp vanepp at sfu.ca
Thu Aug 7 19:35:07 GMT 2003


On Thu, Aug 07, 2003 at 03:01:36PM -0400, Anderson Johnston wrote:
<snip>
> 
> If you have a NIDS (or Cicso Netflow) at the border, I suggest checking
> periodically to see who the heavy IRC users are.  If heavy traffic is
> coming from, say, a secretary's PC on a Sunday, then it's probably worth
> checking out.
> 

	While this example hit an internal access list and got caught before
it did anything from here (we believe it was compromised from a cable modem at 
home), if it had been able to get out it would have been caught by argus as long
as they transferred some reasonable amount of files. The one below was someone
installing a ftp server (poorly :-)) on their on campus machine. Every 
morning a perl script sums and sorts total traffic in and out for the last
24 hours for all IPs we have seen to find things like this. I happened to have 
this particular anonyized analysis for someone else interested in our argus 
implementation.


Start time Sun Jul 20  6:30:03 2003 to Mon Jul 21  6:30:01 2003
Total traffic: 65,258,813,491 total src: 9,192,560,601 total dst: 56,066,252,890
	Total TS traffic: 3,121,497,090
	Total Wireless traffic 699,124,838
	Total lib pub traffic 82,302

(usual suspect, www.sfu.ca, normally the #1 bandwith user. If it is above
 14 gigs or so, check the web logs for why and whack as necessary)

10.0.130.1	total traffic: 11,556,447,375
	       1.0.3.149       10.0.130.1   7070             439              10

	       1.0.51.59       10.0.130.1   6770             532               0

	      10.0.130.1         1.0.4.49   1997               0              10

	      10.0.130.1        1.0.51.59   1472             731           3,439

	      10.0.130.1        1.0.51.59   6970         125,840               0

	      10.0.130.1      100.0.14.47  11815              12               0

	      10.0.130.1      100.0.14.47  12161              60               0

	      10.0.130.1      100.0.24.15   1095             447              10

	      10.0.130.1      100.0.24.15   1102             439              10

	      10.0.130.1      100.0.24.15   1106             440              10

	      10.0.130.1      100.0.24.15   1118             437              10

	      10.0.130.1      100.0.43.15  10065              24               0

	      10.0.130.1      100.0.43.15  10147             180               0

	      10.0.130.1      100.0.43.15  13787             180               0

	      10.0.130.1      100.0.43.15  14547             180               0

	      10.0.130.1      100.0.43.15  14882             180               0

	      10.0.130.1      100.0.7.102   3845              36               0

	      10.0.130.1      197.0.12.91  24322              18               0

	      10.0.130.1      197.0.16.40   1180              18               0

	      10.0.130.1     197.0.18.236  10551             120               0

	      10.0.130.1     197.0.18.236  11713              12               0

	      10.0.130.1     197.0.18.236  14442             120               0

	      10.0.130.1     197.0.19.111   1058              18               0

	      10.0.130.1     197.0.24.103  15353              18               0

	      10.0.130.1     197.0.27.218   1056              18               0

	      10.0.130.1      197.0.30.84   1057              18               0

	     197.0.13.34       10.0.130.1  37852              36               0

	     197.0.13.40       10.0.130.1  37852              18               0

	    197.0.27.176       10.0.130.1     ip             174               0

	      197.0.29.4       10.0.130.1  37852              18               0

	      197.0.29.5       10.0.130.1  37852              18               0

	     197.0.7.126       10.0.130.1  37852              54               0

	                                     137         231,014             174

	                                     443         164,202       1,777,748

	                                      80     153,104,820  11,401,035,083

(commerial customer, pays for bandwith, normally #2 or #1)

10.1.12.7	total traffic: 9,239,318,919
	      1.0.10.167        10.1.12.7    554          11,450     149,548,114

	       1.0.11.96        10.1.12.7    554          79,430          46,767

	      1.0.12.138        10.1.12.7    554          11,797     150,908,550

	      1.0.12.176        10.1.12.7    554          14,130     117,434,079

	      1.0.13.202        10.1.12.7    554          36,722          26,941

	       1.0.14.87        10.1.12.7    554           5,178           8,767

	      1.0.15.216        10.1.12.7    445             671             347

	       1.0.15.60        10.1.12.7    554         104,628          69,178

	       1.0.15.86        10.1.12.7    554          36,332     129,071,375

	      1.0.17.155        10.1.12.7    554          10,845      62,245,016

	      1.0.19.203        10.1.12.7    554          17,238       7,990,421

	      1.0.20.137        10.1.12.7    445             662             386

	       1.0.21.73        10.1.12.7    554          18,709          25,838

	       1.0.21.88        10.1.12.7    554          34,721          24,796

	       1.0.21.93        10.1.12.7    554          27,244     290,613,671

	      1.0.22.207        10.1.12.7    554          27,341     269,725,037

	      1.0.24.101        10.1.12.7    554          13,684     137,396,920

	        1.0.24.5        10.1.12.7    554          12,759          11,872

	      1.0.25.227        10.1.12.7    554         144,183          74,040

	       1.0.28.48        10.1.12.7    554          28,241          26,234

	       1.0.3.181        10.1.12.7    554          15,012          20,625

	      1.0.30.208        10.1.12.7    554           6,712      34,782,942

	       1.0.30.54        10.1.12.7    445          11,717           6,501

	        1.0.5.65        10.1.12.7    554          14,101     123,431,664

	      1.0.51.103        10.1.12.7    445             650             386

	       1.0.51.23        10.1.12.7    554           8,531      64,156,089

	      1.0.52.169        10.1.12.7    554          10,666     106,228,201

	       1.0.53.18        10.1.12.7    554           2,529           5,097

	         1.0.6.4        10.1.12.7    554           2,048             876

	      1.0.68.129        10.1.12.7    554          16,538          18,302

	       10.1.12.7        1.0.11.96   6970      28,459,167         622,043

	       10.1.12.7       1.0.12.176   6970          35,485               0

	       10.1.12.7       1.0.13.202   6970      34,836,423         627,482

	       10.1.12.7        1.0.14.87   6970      44,063,233         191,678

	       10.1.12.7        1.0.15.60   6970      24,765,201         596,668

	       10.1.12.7        1.0.15.86   6970          55,135               0

	       10.1.12.7       1.0.17.155   6970          30,488               0

	       10.1.12.7       1.0.19.203   6970          50,604               0

	       10.1.12.7        1.0.21.73   6970     217,672,414         946,440

	       10.1.12.7        1.0.21.88   6970      68,538,387         476,456

	       10.1.12.7        1.0.21.93   6970          44,060               0

	       10.1.12.7       1.0.22.207   6970          39,481               0

	       10.1.12.7       1.0.24.101   6970          37,563               0

	       10.1.12.7         1.0.24.5   6970      51,370,957         242,039

	       10.1.12.7       1.0.25.227   6970      13,697,349         476,782

	       10.1.12.7        1.0.28.48   6970      88,419,197         641,445

	       10.1.12.7        1.0.3.181   6970     147,945,873         645,947

	       10.1.12.7       1.0.30.208   6970          36,941               0

	       10.1.12.7         1.0.5.56   3622             665           5,474

	       10.1.12.7         1.0.5.56   3623             636           9,647

	       10.1.12.7         1.0.5.56   3624             641          21,779

	       10.1.12.7         1.0.5.56   3625             640           4,001

	       10.1.12.7         1.0.5.56   3626             641           3,184

	       10.1.12.7         1.0.5.56   3627             638           2,498

	       10.1.12.7         1.0.5.56   3628             638           6,745

	       10.1.12.7         1.0.5.56   3629             643          37,720

	       10.1.12.7         1.0.5.56   3630             642          15,094

	       10.1.12.7         1.0.5.56   3631             643          21,191

	       10.1.12.7         1.0.5.56   3632             642             167

	       10.1.12.7         1.0.5.56   3633             643             210

	       10.1.12.7         1.0.5.56   3634             639           8,006

	       10.1.12.7         1.0.5.56   3635             643             989

	       10.1.12.7         1.0.5.56   3636             637          10,878

	       10.1.12.7         1.0.5.56   3637             643          10,548

	       10.1.12.7         1.0.5.56   3638             634          41,019

	       10.1.12.7         1.0.5.56   3639             639           6,069

	       10.1.12.7         1.0.5.56   3640             637           7,201

	       10.1.12.7         1.0.5.56   3641             758           3,365

	       10.1.12.7         1.0.5.56   3642             647             169

	       10.1.12.7         1.0.5.56   3643             645             168

	       10.1.12.7         1.0.5.56   3644             654             168

	       10.1.12.7         1.0.5.56   3645             656             504

	       10.1.12.7         1.0.5.56   3646             636           1,071

	       10.1.12.7         1.0.5.56   3647             636             926

	       10.1.12.7         1.0.5.56   3648             639           4,457

	       10.1.12.7         1.0.5.56   3649             646             210

	       10.1.12.7         1.0.5.56   3650             647             210

	       10.1.12.7         1.0.5.56   3651             646             210

	       10.1.12.7         1.0.5.56   3652             647             210

	       10.1.12.7         1.0.5.56   3653             671           6,315

	       10.1.12.7         1.0.5.56   3654             642           9,647

	       10.1.12.7         1.0.5.56   3655             646           4,001

	       10.1.12.7         1.0.5.56   3656             647          21,779

	       10.1.12.7         1.0.5.56   3657             648          10,548

	       10.1.12.7         1.0.5.56   3658             644           5,376

	       10.1.12.7         1.0.5.56   3659             642           7,201

	       10.1.12.7         1.0.5.56   3660             649             210

	       10.1.12.7         1.0.5.56   3661             651             256

	       10.1.12.7         1.0.5.56   3662         263,260         289,592

	       10.1.12.7         1.0.5.56   4182             665           5,474

	       10.1.12.7         1.0.5.56   4184             636           9,647

	       10.1.12.7         1.0.5.56   4185             641          21,779

	       10.1.12.7         1.0.5.56   4186             640           4,001

	       10.1.12.7         1.0.5.56   4187             641           3,184

	       10.1.12.7         1.0.5.56   4188             638           2,498

	       10.1.12.7         1.0.5.56   4189             638           6,745

	       10.1.12.7         1.0.5.56   4190             643          37,720

	       10.1.12.7         1.0.5.56   4191             642          14,743

	       10.1.12.7         1.0.5.56   4192             643          21,191

	       10.1.12.7         1.0.5.56   4193             642             234

	       10.1.12.7         1.0.5.56   4194             643             210

	       10.1.12.7         1.0.5.56   4195             639           8,006

	       10.1.12.7         1.0.5.56   4196             643             989

	       10.1.12.7         1.0.5.56   4197             637          10,878

	       10.1.12.7         1.0.5.56   4198             643          10,548

	       10.1.12.7         1.0.5.56   4199             634          33,502

	       10.1.12.7         1.0.5.56   4200             639           5,562

	       10.1.12.7         1.0.5.56   4201             637           7,201

	       10.1.12.7         1.0.5.56   4202             647           1,810

	       10.1.12.7         1.0.5.56   4203             645           1,117

	       10.1.12.7         1.0.5.56   4204             654             502

	       10.1.12.7         1.0.5.56   4205             656             504

	       10.1.12.7         1.0.5.56   4206             758           3,365

	       10.1.12.7         1.0.5.56   4207             636           1,071

	       10.1.12.7         1.0.5.56   4208             636             926

	       10.1.12.7         1.0.5.56   4209             639           4,457

	       10.1.12.7         1.0.5.56   4210             646             210

	       10.1.12.7         1.0.5.56   4211             647             210

	       10.1.12.7         1.0.5.56   4212             646             210

	       10.1.12.7         1.0.5.56   4213             647             210

	       10.1.12.7         1.0.5.56   4214             671           6,315

	       10.1.12.7         1.0.5.56   4215             642           9,647

	       10.1.12.7         1.0.5.56   4216             646           4,001

	       10.1.12.7         1.0.5.56   4217             647          21,779

	       10.1.12.7         1.0.5.56   4218             648          10,548

	       10.1.12.7         1.0.5.56   4219             644           5,376

	       10.1.12.7         1.0.5.56   4220             642           7,201

	       10.1.12.7         1.0.5.56   4222             649             210

	       10.1.12.7         1.0.5.56   4223             651             256

	       10.1.12.7         1.0.5.56   4224              36         295,848

	       10.1.12.7         1.0.5.56   4412     190,107,036               0

	       10.1.12.7         1.0.5.56   4609     207,264,048               0

	       10.1.12.7         1.0.5.65   6970          45,780               0

	       10.1.12.7        1.0.51.23   6970          59,210               0

	       10.1.12.7       1.0.52.169   6970          66,098               0

	       10.1.12.7        1.0.53.18   6970       1,137,394           1,215

	       10.1.12.7          1.0.6.4   2363         124,844         175,932

	       10.1.12.7       1.0.68.129   6970      64,028,369         327,132

	       10.1.12.7     100.0.16.158   6970      27,375,267         564,403

	       10.1.12.7     100.0.16.193   6970      12,290,057         426,961

	       10.1.12.7      100.0.20.72   6970      13,678,292         485,211

	       10.1.12.7      100.0.20.83   6970      29,478,784         623,086

	       10.1.12.7      100.0.20.91   6970      13,643,206         461,221

	       10.1.12.7      100.0.20.91   6974         101,745           3,561

	       10.1.12.7     197.0.12.140   6970      12,629,394         457,950

	       10.1.12.7     197.0.14.114  18245           2,035               0

	       10.1.12.7     197.0.14.159   6970      25,756,073               0

	       10.1.12.7       197.0.21.2   6970       2,004,283               0

	       10.1.12.7     197.0.23.113   6970          42,456               0

	       10.1.12.7      197.0.9.169   6970      11,982,941         451,292

	       10.1.12.7       197.0.9.35   6970      27,624,153         527,785

	    100.0.16.158        10.1.12.7    554         189,214          92,867

	    100.0.16.193        10.1.12.7    554          91,496          63,677

	     100.0.20.72        10.1.12.7    554         117,660          65,638

	     100.0.20.83        10.1.12.7    554         172,853          86,042

	     100.0.20.91        10.1.12.7    554         117,593          77,289

	     100.0.29.62        10.1.12.7    554           6,057      12,075,568

	    197.0.12.140        10.1.12.7    554          93,067          53,506

	    197.0.14.159        10.1.12.7    554               0          60,080

	      197.0.21.2        10.1.12.7    554               0           8,669

	    197.0.23.113        10.1.12.7    554          27,034     128,849,258

	    197.0.23.203        10.1.12.7    445               0             386

	    197.0.26.101        10.1.12.7    445             678             511

	    197.0.28.132        10.1.12.7    554               0     109,991,827

	     197.0.31.97        10.1.12.7    445             654             386

	     197.0.33.49        10.1.12.7    554           1,223             459

	     197.0.34.31        10.1.12.7    445               0             386

	    197.0.54.106        10.1.12.7    445             634             386

	     197.0.9.169        10.1.12.7    554         121,247          67,235

	      197.0.9.35        10.1.12.7    554          58,844          43,696

	                                     137           4,640               0

	                                      25           2,679           5,629

	                                      80      51,938,632   5,907,012,134

	                                    8080      12,122,504          86,972


(open ftp server, being used to transfer movies. Much more interesting in the
 1.8.1 trace shown below this ...)

1.0.11.14	total traffic: 5,881,317,656
	       1.0.11.14       10.0.251.1   7330      29,296,384   5,851,501,567

	                                     113               9               0

	                                      25          10,268           4,102

	                                      53          13,685          31,430

	                                      80          20,972         439,239

(main client of compromised ftp server)

10.0.251.1	total traffic: 5,881,270,066
	       1.0.11.14       10.0.251.1   7330      29,296,384   5,851,501,567

	      10.0.251.1       197.0.6.69   1049          52,724          24,050

	      10.0.251.1       197.0.6.69   1050               0           1,704

	      10.0.251.1       197.0.6.69   1053          53,080          24,124

	      10.0.251.1       197.0.6.69   1054               0           1,779

	      10.0.251.1       197.0.6.69   1057          53,822          24,479

	      10.0.251.1       197.0.6.69   1058               0           1,854

	      10.0.251.1       197.0.6.69   1118               0             117

	      10.0.251.1       197.0.6.69   1120               0             117

	      10.0.251.1       197.0.6.69   1121               0             289

	      10.0.251.1       197.0.6.69   1124               0             429

	      10.0.251.1       197.0.6.69   1126               0             117

	      10.0.251.1       197.0.6.69   1127               0             429

	      10.0.251.1       197.0.6.69   1130               0             504

	      10.0.251.1       197.0.6.69   1132               0             117... (lots more here)

Below is the 1.8.1 output of the compromised machine. The ~15 meg chunks which
show up are characteristic of .avi movie transfers. What is happening here is
that the source and destination ports are reversed (which used to happen in
1.8) and this is really all to destination port 7330 as shown above in the
2.x output. However this view is valuable (and can and will be reproduced
in 2.x data by inverting the source and dest ports before the sort). It is
an easy visual cue that movies are being transferred (along with the data
volume for a user machine) and this connection is suspicious.

1.0.11.14  total traffic: 5,881,274,226
          1.0.11.14   217.123.96.173   1049          52,456          22,502

          1.0.11.14   217.123.96.173   1053          52,761          22,499

          1.0.11.14   217.123.96.173   1057          53,452          22,779

          1.0.11.14   217.123.96.173   1791          17,379           6,741

          1.0.11.14   217.123.96.173   1818          16,916           6,655

          1.0.11.14   217.123.96.173   4830          38,110          12,073

          1.0.11.14    62.75.136.231  17606               0      15,000,000

          1.0.11.14    62.75.136.231  17641               0      15,000,000

          1.0.11.14    62.75.136.231  17670               0      15,000,000

          1.0.11.14    62.75.136.231  17697               0      15,000,000

          1.0.11.14    62.75.136.231  17808               0      15,000,000

          1.0.11.14    62.75.136.231  17853               0      15,000,000

          1.0.11.14    62.75.136.231  17868               0      15,000,000

          1.0.11.14    62.75.136.231  17911               0      15,000,000

          1.0.11.14    62.75.136.231  17934               0      15,000,000

          1.0.11.14    62.75.136.231  17956               0      15,000,000

          1.0.11.14    62.75.136.231  17982               0      15,000,000

          1.0.11.14    62.75.136.231  18014               0      15,000,000

          1.0.11.14    62.75.136.231  18038               0      15,001,176
...




More information about the unisog mailing list