Re: Kuang2 strikes again, is it just me?

From: Kevin Patz (jambo_catat_private)
Date: Tue Feb 18 2003 - 10:59:17 PST

Next message: Dave Hart: "RE: Distributed spam-based DoS in progress"

Previous message: Hugo van der Kooij: "Re: Distributed spam-based DoS in progress"
Maybe in reply to: Jeff Kell: "Kuang2 strikes again, is it just me?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) In-Reply-To: <20030217115734.53e79e9d.dokasat_private> >I just caught one on one of my /16 networks. I noticed the machine because it created >several GB of IP Protocol 255 traffic last night aimed as a cablemodem. Here's what an >NMAP of the machine looks like: > > (snip) > 17300/tcp open unknown > >It's definitely got Kuang2 on it: It's likely infected with the W32.Weird virus, which drops the Kuang2 backdoor. It's most likely a 95/98/ME box. Just to add more data to the mix, here's a list of the Kuang2 scans I've logged on my box (cable modem ATTBI subscriber, 24.62.* IP address) from 1/1/03 to present. The Cnt column is the number of scans by that source IP/port, usually within 2-3 seconds of each other. Since I DENY packets and don't send a refuse ICMP some hosts will attempt 2-3 times before moving on. I marked three entries with an asterisk, since they have a source port of 17300 rather than an ephemeral source port. I wonder if a particular scan tool does this. I experienced peaks on 1/26 (8 scans) and from 2/5 to 2/9 (3-9 scans per day). My other question I have on Kuang2 is if it's capable of distributed scanning like SubSeven. If it is, this could also be responsible for the occasional peak. Kuang2 (TCP/17300) scans from 1/1/03 to 2/17/03 Date Time Source IP Src Port Dst Cnt 01/01/2003 15:01:56 213.184.160.172 4503 17300 1 01/07/2003 00:05:20 80.142.73.163 3248 17300 1 01/12/2003 07:24:17 66.189.39.17 3861 17300 2 01/13/2003 04:55:03 24.98.26.29 4686 17300 2 01/13/2003 12:37:47 66.91.171.247 2295 17300 1 01/13/2003 14:45:36 210.8.66.10 17300 17300 1* 01/14/2003 15:54:12 81.7.63.44 4072 17300 3 01/14/2003 17:02:12 66.91.171.247 3575 17300 1 01/15/2003 01:18:20 24.100.161.70 1291 17300 1 01/15/2003 15:06:05 4.3.181.149 2284 17300 2 01/20/2003 00:54:48 217.80.153.191 22874 17300 1 01/20/2003 11:25:36 217.80.153.166 24120 17300 1 01/23/2003 23:47:47 64.29.17.111 17300 17300 1* 01/24/2003 14:47:56 24.76.219.38 3424 17300 2 01/26/2003 00:34:26 141.152.177.79 1382 17300 2 01/26/2003 04:20:04 141.152.177.79 2463 17300 2 01/26/2003 05:34:13 24.187.185.101 3464 17300 2 01/26/2003 09:34:41 24.102.236.85 4752 17300 2 01/26/2003 09:34:46 24.102.236.85 1404 17300 2 01/26/2003 11:45:14 24.187.185.101 3637 17300 2 01/26/2003 14:06:38 24.164.238.7 3376 17300 1 01/26/2003 18:17:32 68.14.181.140 2840 17300 1 01/29/2003 08:09:36 66.214.111.110 1560 17300 2 02/01/2003 19:31:07 24.203.156.127 3360 17300 1 02/05/2003 22:25:40 61.43.227.43 3427 17300 3 02/05/2003 22:47:19 211.220.116.24 2457 17300 4 02/05/2003 23:01:52 218.156.129.81 1199 17300 3 02/06/2003 03:39:10 211.197.114.31 1835 17300 3 02/06/2003 04:21:35 211.227.46.132 1771 17300 4 02/06/2003 04:28:02 211.218.73.189 1517 17300 3 02/06/2003 04:44:09 218.158.184.147 2942 17300 3 02/06/2003 05:11:36 61.85.146.3 1349 17300 3 02/06/2003 05:28:45 211.187.187.39 2958 17300 3 02/06/2003 05:38:15 211.231.83.242 1838 17300 4 02/06/2003 06:10:04 211.222.253.33 1926 17300 3 02/06/2003 06:53:21 211.177.105.181 3293 17300 4 02/07/2003 04:55:36 220.91.89.234 1627 17300 2 02/07/2003 19:19:36 172.147.236.164 2996 17300 4 02/07/2003 21:35:05 211.55.14.116 3091 17300 3 02/07/2003 21:57:26 61.72.6.98 1737 17300 3 02/07/2003 22:05:16 218.150.165.150 2092 17300 4 02/07/2003 22:05:59 211.177.227.49 2142 17300 4 02/07/2003 22:30:56 211.106.254.201 4442 17300 3 02/08/2003 10:55:49 61.79.216.59 4689 17300 3 02/08/2003 11:35:33 61.99.88.185 4651 17300 4 02/08/2003 21:42:57 210.221.43.27 1965 17300 2 02/08/2003 22:35:34 61.83.51.247 1991 17300 3 02/08/2003 22:39:24 61.84.125.83 2441 17300 3 02/08/2003 22:57:44 211.228.146.31 4536 17300 3 02/08/2003 23:17:21 218.52.74.6 4299 17300 3 02/08/2003 23:20:16 218.238.254.28 3761 17300 4 02/09/2003 02:41:50 24.205.7.146 1376 17300 2 02/09/2003 10:37:41 61.76.48.91 3874 17300 4 02/11/2003 00:12:01 80.194.224.229 2798 17300 3 02/11/2003 00:13:22 218.147.6.222 1207 17300 3 02/15/2003 13:45:15 24.192.165.189 4718 17300 3 02/17/2003 04:11:26 204.42.204.151 17300 17300 1* ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Next message: Dave Hart: "RE: Distributed spam-based DoS in progress"
Previous message: Hugo van der Kooij: "Re: Distributed spam-based DoS in progress"
Maybe in reply to: Jeff Kell: "Kuang2 strikes again, is it just me?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 18 2003 - 17:16:05 PST