Re: shaft client to handler?

From: Neil Dickey (neilat_private)
Date: Tue Jan 22 2002 - 11:25:10 PST

  • Next message: Vladimir Ivaschenko: "optic rootkit (was Re: xsf/xchk)"

    You wrote to the Incidents list:
    
    >I got these message from my Snort sensor earlier today ... it
    >shouldn't be valid traffic.
    
    I'm not sure on the face of it why you think this shouldn't be valid
    traffic.  The target port is a high number port not normally associated
    with any particular software package, and therefore available for
    assignment to be used as needed.
    
    >Also, in the several hours previous, I've
    >been seeing lots of large ICMP packets and "Communication
    >Administratively Prohibited" traffic to various hosts on the internal
    >network.
    
    These sorts of things are normal in my experience.  I'm assuming that
    these packets are coming from the internet to hosts in your internal
    net.  If they are exchanged between hosts in your internal net, then
    there is a problem of some sort.
    
    >Have I potentially been compromised, or is this "scatter" traffic"?
    
    There isn't enough information to make a judgement on whether or not
    you have been compromised.  If the Snort rule which tripped these
    alerts is similar to the one I have seen, *any* traffic to port 20432
    will trip it, regardless of content.  Rules of this sort are prone to
    false alarms.
    
    If you aren't running it already, I suggest you examine the program
    "Tripwire" on the Computer Emergency Response Team ( Cert ) website.
    Used properly, it can tell you in a few minutes whether anything has
    changed on your system, *but* you must have it installed and initialized
    on a known-clean system *before* a suspected compromise occurs and you
    need to use it.
    
    What looks interesting to me are the source ports for the packets:
    
    >Jan 21 15:51:45 hostname snort: [1:230:1] DDOS shaft client to handler
    >[Classification: Attempted Denial of Service] [Priority: 2]: {TCP}
    >216.227.124.82:76 -> x.x.x.x:20432
    
    Port 76 is associated with 'finger'.
    
    >Jan 21 15:51:46 hostname snort: [1:230:1] DDOS shaft client to handler
    >[Classification: Attempted Denial of Service] [Priority: 2]: {TCP}
    >216.227.124.82:20 -> x.x.x.x:20432
    
    Port 20 is the 'ftp' data transfer port.
    
    Spaced about a second apart as they are, this could have been a scan of
    some sort or another looking for a trojan ( Shaft? ) listening on that
    port.  It also seems possible from the information given that it may
    have been part of a passive FTP session.  I think that possibility is
    remote, however, because I don't know why 'finger' would be involved.
    
    You only seem to have posted part of the alert log.  Was this a SYN
    packet?  SYN-FIN?  ACK-PUSH?  Was there a payload?  If so, what did it
    have in it?
    
    Best regards,
    
    Neil Dickey, Ph.D.
    Research Associate/Sysop
    Geology Department
    Northern Illinois University
    DeKalb, Illinois
    60115
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jan 22 2002 - 12:11:40 PST