Re(2): Help with an odd log file...

From: Ken Eichman (keichmanat_private)
Date: Mon Jun 09 2003 - 12:58:52 PDT

Next message: Christine Kronberg: "Re: Strange CONNECT entries in apache logs"

Previous message: Greg A. Woods: "RE: strange traffic on UDP port 53"
In reply to: James C. Slora Jr.: "Re: Help with an odd log file..."
Next in thread: James C. Slora Jr.: "Re: Help with an odd log file..."
Next in thread: James C. Slora Jr.: "Re: Help with an odd log file..."
Reply: James C. Slora Jr.: "Re: Help with an odd log file..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> From: "James C. Slora Jr." <Jim.Sloraat_private>
> Date: Sat, 07 Jun 2003 21:29:27 -0400
> Please forgive my rambling below - I'm all hyped up because I've been
> looking at something similar and it looks like something big is happening
> under our noses.

I agree. The few feelers I put out about this have fallen on deaf ears so
I've been sitting on this for a couple of weeks, watching it slowly grow
to its present volume of one of these random SYNs almost every second
against our /16.

> My working hypothesis is that the primary probe source is completely spoofed
> and is some sort of homing signal for a complex trojan. The oddball probes
> are probably not spoofed and are possibly the agents of the actual abusers.
> The "agents" have all been dialup or cable modem systems (probably owned),
> except the primary prober that is spoofing the address of a very large
> semi-government agency.

We're seeing a around 100-200 "agents" (as you call them) here. I also
concluded that the one-to-one source-to-destination probers are spoofed
(i.e, your "primary prober"),and I've been looking at the one-to-many probers
("agents") as the interesting traffic. Presently each of these ~100
probers are our /16 network anywhere from once/minute (the most active
prober) to once every 1-3 hours. As you found, these addresses are
dominated by cable/DSL/broadband providers. Another common thread is that
many (but not all) of them have open netbios port(s), primarily 135/tcp.

> I also can't help but wonder if this traffic might be related to the
> stateless Code Red middle packets being logged widely and some Code Red
> infections that people are reporting inside hardened systems. A Q-like
> trojan could possibly have been triggered by the packets to start sending
> Code Red packets even though IIS had been hardened. Maybe someone who has
> had this happen could review their logs and compare sequence and IDs on
> packets from the source they believe compromised them with a stateless 2nd
> packet only of Code Red. If those sequence and IDs correlate with other
> anomolous packets, that might establish a link.

FWIW so far I haven't found any IIS servers running in the "agent" group.

Ken Eichman                 Senior Scientist
Chemical Abstracts Service  IT Information Security
2540 Olentangy River Road   614-447-3600 ext. 3230
Columbus, OH 43210          keichmanat_private

----------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Christine Kronberg: "Re: Strange CONNECT entries in apache logs"
Previous message: Greg A. Woods: "RE: strange traffic on UDP port 53"
In reply to: James C. Slora Jr.: "Re: Help with an odd log file..."
Next in thread: James C. Slora Jr.: "Re: Help with an odd log file..."
Next in thread: James C. Slora Jr.: "Re: Help with an odd log file..."
Reply: James C. Slora Jr.: "Re: Help with an odd log file..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 10 2003 - 13:26:50 PDT