Hi, i suppose it is a trojan which uses ack tunneling method. I dont know what type of firewall you are using but there are some firewalls doesnt check out the ack packets. anyway, here is the tool for it, ACKCMD that you can find it at http://ntsecurity.nu/toolbox/ackcmd/ there you are gonna find some information as well. cheers Murat- -----Original Message----- From: Russell Fulton [mailto:r.fultonat_private] Sent: Wednesday, September 05, 2001 4:14 PM To: incidentsat_private Subject: Code red variants? Snort logged a bunch of somewhat anomolous packets. At first glance they appear to be standard cmd.exe packets from code red. [**] WEB-IIS cmd.exe access [**] 09/06-07:10:23.613276 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x5EA 130.67.240.225:1450 -> 130.216.223.150:80 TCP TTL:101 TOS:0x0 ID:24351 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xE68E61F7 Ack: 0xE5C99396 Win: 0x2238 TcpLen: 20 00 FF 75 FC FF 55 F8 89 45 D4 E8 0C 00 00 00 43 ..u..U..E......C 6C 6F 73 65 48 61 6E 64 6C 65 00 FF 75 FC FF 55 loseHandle..u..U F8 89 45 D0 E8 08 00 00 00 5F 6C 63 72 65 61 74 ..E......_lcreat 00 FF 75 FC FF 55 F8 89 45 CC E8 08 00 00 00 5F ..u..U..E......_ 6C 77 72 69 74 65 00 FF 75 FC FF 55 F8 89 45 C8 lwrite..u..U..E. E8 08 00 00 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC ....._lclose..u. FF 55 F8 89 45 C4 E8 0E 00 00 00 47 65 74 53 79 .U..E......GetSy 73 74 65 6D 54 69 6D 65 00 FF 75 FC FF 55 F8 89 stemTime..u..U.. 45 C0 E8 0B 00 00 00 57 53 32 5F 33 32 2E 44 4C E......WS2_32.DL [ snip ] however what puzzeled me is that the destination (130.216.223.150) is firewalled. I then looked at the argus logs: 06 Sep 01 07:10:23 tcp 130.67.240.225.1450 ?> 130.216.223.150.80 1 1 1460 0 A_RPA Which shows a single incoming packet with ACK set and payload. This suggests that the source is simply firing out packets without waiting for the handshake to complete. This is not standard code red behaviour otherwise snort would be logging far more code red alerts. Also there was no ida alert for this address. I then used argus do dump all traffic from 130.67/16 (online.no) and found that there is a steady trickle of such packets. 06 Sep 01 00:02:34 tcp 130.67.216.237.3339 ?> 130.216.246.91.80 1 0 1460 0 A_ 06 Sep 01 00:04:27 tcp 130.67.216.237.3955 ?> 130.216.145.172.80 2 0 2920 0 A_ 06 Sep 01 00:06:58 tcp 130.67.216.237.3339 ?> 130.216.246.91.80 1 0 2920 0 A_ 06 Sep 01 00:17:00 tcp 130.67.114.61.2124 ?> 130.216.213.213.80 1 0 1460 0 A_ 06 Sep 01 00:58:01 tcp 130.67.10.87.1922 ?> 130.216.78.223.80 1 0 1460 0 A_ 06 Sep 01 01:08:47 tcp 130.67.240.131.3281 ?> 130.216.185.75.80 1 1 1460 0 A_R 06 Sep 01 01:23:10 tcp 130.67.58.251.3371 ?> 130.216.187.210.80 1 0 1460 0 A_ 06 Sep 01 01:28:38 tcp 130.67.118.172.4396 ?> 130.216.149.34.80 2 0 2920 0 A_ 06 Sep 01 01:28:59 tcp 130.67.229.89.2904 ?> 130.216.51.74.80 1 0 1460 0 A_ 06 Sep 01 01:33:50 tcp 130.67.118.172.3032 ?> 130.216.72.91.80 1 0 1460 0 A_ This explains one thing: I had noticed that the snort cmd.exe count was consistantly higher than the .ida count but I could not find any packets other than appearantly ordinary code red ones. For comparision I dumped all traffic for another 130/8 which I know has a whole bunch of code red compromised machine and saw none of the bare ACK packets. Any idea what is going on? Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 08:39:36 PDT