POSSIBLE WORM / DDOS ?

From: Eric Weaver (eric.weaverat_private)
Date: Fri Apr 05 2002 - 06:59:41 PST

  • Next message: McCammon, Keith: "RE: POSSIBLE WORM / DDOS ?"

    POSSIBLE WORM / DDOS
    
    Appears to be target port 21 and/or spreading via SMB.   This is all I have
    right now:
    
    tcpdump:
    
    06:29:17.078874 10.2.2.241.1890 > 204.152.189.113.21: S
    3272713560:3272713560(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:29:20.081771 10.2.2.241.1891 > 204.152.189.113.21: S
    3273527112:3273527112(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:29:23.087434 10.2.2.241.1892 > 209.250.0.132.21: S
    3274340020:3274340020(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:29:26.089861 10.2.2.241.1893 > 209.250.0.132.21: S
    3275149251:3275149251(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:29:29.301291 10.2.2.241.1028 > 10.2.2.14.53:  161+ A?
    hawking.res.cmu.edu. (37)
    06:29:29.302121 10.2.2.14.53 > 10.2.2.241.1028:  161 NXDomain 0/1/0 (118)
    (DF)
    06:30:29.836128 10.2.2.241.1938 > 198.133.219.27.21: S
    3293275935:3293275935(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:30:32.782191 10.2.2.241.1939 > 62.243.72.50.21: S
    3294076486:3294076486(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:30:35.786356 10.2.2.241.1940 > 129.128.5.191.21: S
    3294859714:3294859714(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:30:38.690326 10.2.2.241.1941 > 66.26.238.15.21: S
    3295637385:3295637385(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:30:51.775416 10.2.2.241.1956 > 204.152.189.113.21: S
    3299451469:3299451469(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:30:54.804154 10.2.2.241.1957 > 216.10.106.189.21: S
    3300252651:3300252651(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:30:57.712465 10.2.2.241.1958 > 204.152.189.113.21: S
    3301052975:3301052975(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:31:00.716285 10.2.2.241.1959 > 204.152.189.113.21: S
    3301854583:3301854583(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:31:03.721980 10.2.2.241.1960 > 209.250.0.132.21: S
    3302638469:3302638469(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:31:06.725382 10.2.2.241.1961 > 209.250.0.132.21: S
    3303448449:3303448449(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:31:13.857898 10.2.2.241.1984 > 206.100.24.34.21: S
    3306270291:3306270291(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:31:16.836273 10.2.2.241.1985 > 206.100.24.34.21: S
    3307075111:3307075111(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:32:02.060208 10.2.2.241.2004 > 198.133.219.27.21: S
    3319333584:3319333584(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:32:05.056510 10.2.2.241.2005 > 62.243.72.50.21: S
    3320119259:3320119259(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:32:08.009097 10.2.2.241.2006 > 129.128.5.191.21: S
    3320930893:3320930893(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:32:11.013294 10.2.2.241.2007 > 66.26.238.15.21: S
    3321738567:3321738567(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:32:23.459155 10.2.2.241.2024 > 204.152.189.113.21: S
    3325545579:3325545579(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:32:26.462660 10.2.2.241.2025 > 216.10.106.189.21: S
    3326338384:3326338384(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:32:29.433905 10.2.2.241.2026 > 204.152.189.113.21: S
    3327134151:3327134151(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:32:32.436725 10.2.2.241.2027 > 204.152.189.113.21: S
    3327941671:3327941671(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:32:35.443518 10.2.2.241.2028 > 209.250.0.132.21: S
    3328724549:3328724549(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:32:38.444911 10.2.2.241.2029 > 209.250.0.132.21: S
    3329535547:3329535547(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    06:32:45.491534 10.2.2.241.2052 > 206.100.24.34.21: S
    3332310269:3332310269(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    
    
    
    Packet dump:
    
     offset    0  1  2  3   4  5  6  7   8  9  a  b   c  d  e  f
    0123456789abcdef
    00000000 <d4>c3 b2 a1  02 00 04 00  00 00 00 00  00 00 00 00
    Ôò¡............
    00000010  dc 05 00 00  01 00 00 00  62 b5 ad 3c  30 eb 00 00
    Ü.......bµ­<0ë..                                                00000020  3e
    00 00 00  3e 00 00 00  00 00 0c 4a  39 83 00 20  >...>......J9..
    00000030  78 05 b5 08  08 00 45 00  00 30 31 62  40 00 80 06
    x.µ...E..01b@...                                                00000040  1a
    d2 0a 02  02 f1 c6 85  db 1b 07 d4  00 15 c5 d9  .Ò...ñÆ.Û..Ô..ÅÙ
    00000050  02 d0 00 00  00 00 70 02  40 00 c3 f8  00 00 02 04
    .Ð....p.@.Ãø....                                                00000060  05
    b4 01 01  04 02                                  .´....
    
    
    Netstat of the infected machine:
    
     TCP    10.2.2.241:1993        10.2.2.241:139         TIME_WAIT
     TCP    10.2.2.241:1994        10.2.2.250:445         TIME_WAIT
     TCP    10.2.2.241:1996        10.2.2.250:445         TIME_WAIT
     TCP    10.2.2.241:1998        10.2.2.250:445         TIME_WAIT
     TCP    10.2.2.241:2006        129.128.5.191:21       SYN_SENT
     UDP    0.0.0.0:135            *:*
     UDP    0.0.0.0:445            *:*
     UDP    0.0.0.0:1026           *:*
     UDP    0.0.0.0:1027           *:*
    
    
    (a few seconds later,  multiple connections to other SMB shares)
    
      TCP    10.2.2.241:2016        10.2.2.250:445         TIME_WAIT
      TCP    10.2.2.241:2018        10.2.2.250:445         TIME_WAIT
      TCP    10.2.2.241:2020        10.2.2.250:445         TIME_WAIT
      TCP    10.2.2.241:2032        10.2.2.250:445         TIME_WAIT
      TCP    10.2.2.241:2034        10.2.2.250:445         TIME_WAIT
      TCP    10.2.2.241:2036        10.2.2.250:445         TIME_WAIT
      TCP    10.2.2.241:2038        10.2.2.250:445         TIME_WAIT
      TCP    10.2.2.241:2040        10.2.2.250:445         TIME_WAIT
      TCP    10.2.2.241:2042        10.2.2.250:445         TIME_WAIT
      TCP    10.2.2.241:2044        10.2.2.250:445         TIME_WAIT
      TCP    10.2.2.241:2046        10.2.2.250:445         TIME_WAIT
      TCP    10.2.2.241:2048        10.2.2.250:445         TIME_WAIT
      TCP    10.2.2.241:2050        10.2.2.250:445         TIME_WAIT
      TCP    10.2.2.241:2054        10.2.2.250:445         TIME_WAIT
    
    
    
    Eric Weaver
    IDS2.net
    
    
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Apr 05 2002 - 09:02:48 PST