Security Incidents mailing list archives
Re: FW: SANS FLASH: New Trojan Sending Data To Russia
From: Vitaly Osipov <vos () TELENOR CZ>
Date: Mon, 31 Jul 2000 19:18:49 +0200
As a former inhabitant of Russia I can just make some comments on addresses/providers/etc. first, that netblock mentiooned is part of dynamic address pool for dialup ppp connections of one of major Russian ISP (try www.dol.ru). Second - in the message provided I do not see any signs of some trojan/whatever _sending_ data to this Russian address - your honeypot was just probed for proxy features (maybe there were some connections on port 3128 too, not only 80 and 8080 and 1080?), and because it replied (as a honeypot should do ;) ), now you are in some proxy list - that's all! Just one simple scan results in so big flash report... looks a bit like security hysteria :))) as to link quoted below - http://www.sans.org/y2k/072800.htm - I did not understand what has a proxy scan from .ru to do with break-in from .my regards, Vitaly. ----- Original Message ----- From: "Ed Padin" <epadin () WAGWEB COM> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Monday, July 31, 2000 5:59 PM Subject: FW: SANS FLASH: New Trojan Sending Data To Russia
Can anyone shed more light on this? -----Original Message----- From: The SANS Institute [mailto:sans () sans org] Sent: Friday, July 28, 2000 8:35 PM Subject: SANS FLASH: New Trojan Sending Data To Russia SANS Flash Report: Trojans Sending More Data To Russia July 28, 2000, 6:20 pm, EDT This is preliminary information. The GIAC (Global Incident Analysis Center) has received several submissions showing large amounts of data being sent, illegitimately, from Windows 98 machines to a Russian IP address (194.87.6.X). The cause is most probably a Trojan, but whatever it is, it is moving fast. What you should do? 1. All sites should block network traffic from or to 194.87.6.X 2. If you see outgoing traffic from one of your machines to that address, you should pull it from the network until anti-virus signatures are available. This activity has been going on for a few days, but the correlations are just coming in. If you have information to share, please send it to intrusion () sans org. The remainder of this message is fairly technical and meant to help system administrators and firewall administrators protect their systems. Thank you! Stephen Northcutt, Director Global Incident Analysis Center The SANS InstituteFrom SANS GIAC Report 00/07/28 (dhoelzer) This one came in at about 20:16 on July 26. The 194.87.6.201machine interestingly enough, resolves back to .ru. There is no other traffic to or from this network (194.87.6.X) for the last two months of live data that I have online. It's hard to make a guess on this one. Perhaps the machine that recorded this is on a proxy list somewhere, but then, this machine is a brand new honeypot on an IP address that hasn't been populated for at least 7 years, and has never been used as a proxy server. If this is just a random stab, it's interesting that there is no record of any network mapping from this network/host. Perhaps there was some coordinated mapping here, or perhaps there is someone out there who has mapped us already who was willing to share (or moved to a new network).bash# cat 8080 Initializing server socket...Binding to port 8080...Done. Starting listener...Listening. Connection from: 194.87.6.201 0| 47 45 54 20 68 74 74 70 3a 2f 2f 77 77 77 2e 63 16| 6f 6d 6d 69 73 73 69 6f 6e 2d 6a 75 6e 63 74 69 32| 6f 6e 2e 63 6f 6d 2f 20 48 54 54 50 2f 31 2e 31 48| 0d 0a 48 6f 73 74 3a 20 77 77 77 2e 63 6f 6d 6d 64| 69 73 73 69 6f 6e 2d 6a 75 6e 63 74 69 6f 6e 2e 80| 63 6f 6d 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a 96| 0d 0a 50 72 61 67 6d 61 3a 20 6e 6f 2d 63 61 63 112| 68 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 +------------------------------------------------- 0| G E T h t t p : / / w w w . c 16| o m m i s s i o n - j u n c t i 32| o n . c o m / H T T P / 1 . 1 48| . . H o s t : w w w . c o m m 64| i s s i o n - j u n c t i o n . 80| c o m . . A c c e p t : * / * 96| . . P r a g m a : n o - c a c 112| h e . . U s e r - A g e n t : 128| M o z i l l a / 4 . 0 ( c o m 144| p a t i b l e ; M S I E 4 . 160| 0 1 ; W i n d o w s 9 8 ) . 176| . . . +------------------------------------------------- 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Connection Terminated bash# nslookup 194.87.6.201 Server: midgaard.smsc.com Address: 170.129.53.52 Name: 201.6.87.194.dynamic.dol.ru Address: 194.87.6.201+++ Correlation to Laurie's post to GIAC Report 00/07/28, (http://www.sans.org/y2k/072800.htm):(Laurie@.edu) =-=-=-=-=-=-=-=-=-=-= 194.87.6.201 == 201.6.87.194.dynamic.dol.ru RU-DEMOS-940901 Included this because of the Russian source address. Jul 26 22:26:23 hostka snort[20224]: MISC-WinGate-8080-Attempt:194.87.6.201:3344 -> a.b.c.32:8080http and Wingate connection attempts from the same `dynamic.dol.ru' domain: Name: 27.6.87.194.dynamic.dol.ru Address: 194.87.6.27 Jul 27 19:30:08 foo /kernel: Connection attempt to TCP a.b.c.8:80 from 194.87.6.27:4156 Name: 147.6.87.194.dynamic.dol.ru Address: 194.87.6.147 [**] WinGate 8080 Attempt [**] 07/24-23:04:39.418351 194.87.6.147:3185 -> a.b.c.8:8080 TCP TTL:120 TOS:0x0 ID:12966 DF **S***** Seq: 0x540140 Ack: 0x0 Win: 0x2000 TCP Options => MSS: 536 NOP NOP SackOK [**] WinGate 8080 Attempt [**] 07/24-23:04:40.502718 194.87.6.147:3185 -> a.b.c.8:8080 TCP TTL:120 TOS:0x0 ID:17318 DF **S***** Seq: 0x540140 Ack: 0x0 Win: 0x2000 TCP Options => MSS: 536 NOP NOP SackOK [**] WinGate 8080 Attempt [**] 07/24-23:04:41.521379 194.87.6.147:3185 -> a.b.c.8:8080 TCP TTL:120 TOS:0x0 ID:27302 DF **S***** Seq: 0x540140 Ack: 0x0 Win: 0x2000 TCP Options => MSS: 536 NOP NOP SackOK The system trace below was found by a conseal firewall: 2000/07/27 9:15:19 PM GMT -0400: NDC 10/100 Fast E..[0001][No matching rule] Blocking outgoing TCP: src=24.114.my.ip, dst=194.87.6.27, sport=8080, dport=2418. 2000/07/27 9:15:22 PM GMT -0400: NDC 10/100 Fast E..[0001][Ref# 181] Blocking incoming connection attempt: src=194.87.6.27, local port 8080.
Current thread:
- Re: FW: SANS FLASH: New Trojan Sending Data To Russia Gary Flynn (Aug 01)
- <Possible follow-ups>
- Re: FW: SANS FLASH: New Trojan Sending Data To Russia Yury Bokhoncovich (Aug 01)
- Re: FW: SANS FLASH: New Trojan Sending Data To Russia Pierre Vandevenne (Aug 02)
- Re: FW: SANS FLASH: New Trojan Sending Data To Russia Greg A. Woods (Aug 03)
- Re: FW: SANS FLASH: New Trojan Sending Data To Russia Pierre Vandevenne (Aug 02)
- Re: FW: SANS FLASH: New Trojan Sending Data To Russia Vitaly Osipov (Aug 01)