> From: "James C. Slora Jr." <Jim.Sloraat_private> > Date: Sat, 07 Jun 2003 21:29:27 -0400 > Please forgive my rambling below - I'm all hyped up because I've been > looking at something similar and it looks like something big is happening > under our noses. I agree. The few feelers I put out about this have fallen on deaf ears so I've been sitting on this for a couple of weeks, watching it slowly grow to its present volume of one of these random SYNs almost every second against our /16. > My working hypothesis is that the primary probe source is completely spoofed > and is some sort of homing signal for a complex trojan. The oddball probes > are probably not spoofed and are possibly the agents of the actual abusers. > The "agents" have all been dialup or cable modem systems (probably owned), > except the primary prober that is spoofing the address of a very large > semi-government agency. We're seeing a around 100-200 "agents" (as you call them) here. I also concluded that the one-to-one source-to-destination probers are spoofed (i.e, your "primary prober"),and I've been looking at the one-to-many probers ("agents") as the interesting traffic. Presently each of these ~100 probers are our /16 network anywhere from once/minute (the most active prober) to once every 1-3 hours. As you found, these addresses are dominated by cable/DSL/broadband providers. Another common thread is that many (but not all) of them have open netbios port(s), primarily 135/tcp. > I also can't help but wonder if this traffic might be related to the > stateless Code Red middle packets being logged widely and some Code Red > infections that people are reporting inside hardened systems. A Q-like > trojan could possibly have been triggered by the packets to start sending > Code Red packets even though IIS had been hardened. Maybe someone who has > had this happen could review their logs and compare sequence and IDs on > packets from the source they believe compromised them with a stateless 2nd > packet only of Code Red. If those sequence and IDs correlate with other > anomolous packets, that might establish a link. FWIW so far I haven't found any IIS servers running in the "agent" group. Ken Eichman Senior Scientist Chemical Abstracts Service IT Information Security 2540 Olentangy River Road 614-447-3600 ext. 3230 Columbus, OH 43210 keichmanat_private ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jun 10 2003 - 13:26:50 PDT