Re: FW: SANS FLASH: New Trojan Sending Data To Russia

[Vitaly Osipov <vos () TELENOR CZ>]

As a former inhabitant of Russia I can just make some comments on
addresses/providers/etc.

first, that netblock mentiooned is part of dynamic address pool for dialup
ppp connections of one of major Russian ISP (try www.dol.ru). Second - in
the message provided I do not see any signs of some trojan/whatever
_sending_ data to this Russian address - your honeypot was just probed for
proxy features (maybe there were some connections on port 3128 too, not only
80 and 8080 and 1080?), and because it replied (as a honeypot should do
;) ), now you are in some proxy list - that's all! Just one simple scan
results in so big flash report... looks a bit like security hysteria :)))

as to link quoted below - http://www.sans.org/y2k/072800.htm - I did not
understand what has a proxy scan from .ru to do with break-in from .my

regards,
Vitaly.

----- Original Message -----
From: "Ed Padin" <epadin () WAGWEB COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Monday, July 31, 2000 5:59 PM
Subject: FW: SANS FLASH: New Trojan Sending Data To Russia


> Can anyone shed more light on this?
>
> -----Original Message-----
> From: The SANS Institute [mailto:sans () sans org]
> Sent: Friday, July 28, 2000 8:35 PM
> Subject: SANS FLASH: New Trojan Sending Data To Russia
>
>
> SANS Flash Report: Trojans Sending More Data To Russia
> July 28, 2000, 6:20 pm, EDT
>
> This is preliminary information.  The GIAC (Global Incident
> Analysis Center) has received several submissions showing large
> amounts of data being sent, illegitimately, from Windows 98
> machines to a Russian IP address (194.87.6.X).  The cause is most
> probably a Trojan, but whatever it is, it is moving fast.
>
> What you should do?
>
> 1. All sites should block network traffic from or to 194.87.6.X
> 2. If you see outgoing traffic from one of your machines to that
> address, you should pull it from the network until anti-virus
> signatures are available.
>
> This activity has been going on for a few days, but the
> correlations are just coming in.  If you have information to
> share, please send it to intrusion () sans org.
>
> The remainder of this message is fairly technical and meant to
> help system administrators and firewall administrators protect
> their systems.
>
> Thank you!
>
> Stephen Northcutt, Director Global Incident Analysis Center
> The SANS Institute
>
> > From SANS GIAC Report 00/07/28
> > (dhoelzer)
> >    This one came in at about 20:16 on July 26. The 194.87.6.201
> machine interestingly enough, resolves back to .ru. There is
> no other traffic to or from this network (194.87.6.X) for the
> last two months of live data that I have online. It's hard to
> make a guess on this one. Perhaps the machine that recorded
> this is on a proxy list somewhere, but then, this machine is a
> brand new honeypot on an IP address that hasn't been populated
> for at least 7 years, and has never been used as a proxy server.
> If this is just a random stab, it's interesting that there is
> no record of any network mapping from this network/host.
> Perhaps there was some coordinated mapping here, or perhaps
> there is someone out there who has mapped us already who was
> willing to share (or moved to a new network).
> >    bash# cat 8080
> >    Initializing server socket...Binding to port 8080...Done.
> >    Starting listener...Listening.
> >    Connection from: 194.87.6.201
> >        0| 47 45 54 20 68 74 74 70 3a 2f 2f 77 77 77 2e 63
> >       16| 6f 6d 6d 69 73 73 69 6f 6e 2d 6a 75 6e 63 74 69
> >       32| 6f 6e 2e 63 6f 6d 2f 20 48 54 54 50 2f 31 2e 31
> >       48| 0d 0a 48 6f 73 74 3a 20 77 77 77 2e 63 6f 6d 6d
> >       64| 69 73 73 69 6f 6e 2d 6a 75 6e 63 74 69 6f 6e 2e
> >       80| 63 6f 6d 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a
> >       96| 0d 0a 50 72 61 67 6d 61 3a 20 6e 6f 2d 63 61 63
> >      112| 68 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20
> >         +-------------------------------------------------
> >        0|  G  E  T     h  t  t  p  :  /  /  w  w  w  .  c
> >       16|  o  m  m  i  s  s  i  o  n  -  j  u  n  c  t  i
> >       32|  o  n  .  c  o  m  /     H  T  T  P  /  1  .  1
> >       48|  .  .  H  o  s  t  :     w  w  w  .  c  o  m  m
> >       64|  i  s  s  i  o  n  -  j  u  n  c  t  i  o  n  .
> >       80|  c  o  m  .  .  A  c  c  e  p  t  :     *  /  *
> >       96|  .  .  P  r  a  g  m  a  :     n  o  -  c  a  c
> >      112|  h  e  .  .  U  s  e  r  -  A  g  e  n  t  :
> >      128|  M  o  z  i  l  l  a  /  4  .  0     (  c  o  m
> >      144|  p  a  t  i  b  l  e  ;     M  S  I  E     4  .
> >      160|  0  1  ;     W  i  n  d  o  w  s     9  8  )  .
> >      176|  .  .  .
> >         +-------------------------------------------------
> >            0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15
> >    Connection Terminated
> >    bash# nslookup 194.87.6.201
> >    Server:  midgaard.smsc.com
> >    Address:  170.129.53.52
> >    Name:    201.6.87.194.dynamic.dol.ru
> >    Address:  194.87.6.201
>
> +++
> Correlation to Laurie's post to GIAC Report 00/07/28,
> (http://www.sans.org/y2k/072800.htm):
>
> > (Laurie@.edu)
> >
> >   =-=-=-=-=-=-=-=-=-=-=
> >
> >   194.87.6.201 == 201.6.87.194.dynamic.dol.ru
> >
> >   RU-DEMOS-940901
> >
> >   Included this because of the Russian source address.
> >
> >   Jul 26 22:26:23 hostka snort[20224]: MISC-WinGate-8080-
> Attempt:
> >     194.87.6.201:3344 -> a.b.c.32:8080
>
> http and Wingate connection attempts from the same
> `dynamic.dol.ru'
> domain:
>
> Name:    27.6.87.194.dynamic.dol.ru
> Address:  194.87.6.27
>
> Jul 27 19:30:08 foo /kernel: Connection attempt to TCP a.b.c.8:80
> from 194.87.6.27:4156
>
> Name:    147.6.87.194.dynamic.dol.ru
> Address:  194.87.6.147
>
> [**] WinGate 8080 Attempt [**]
> 07/24-23:04:39.418351 194.87.6.147:3185 -> a.b.c.8:8080
> TCP TTL:120 TOS:0x0 ID:12966  DF
> **S***** Seq: 0x540140   Ack: 0x0   Win: 0x2000
> TCP Options => MSS: 536 NOP NOP SackOK
>
> [**] WinGate 8080 Attempt [**]
> 07/24-23:04:40.502718 194.87.6.147:3185 -> a.b.c.8:8080
> TCP TTL:120 TOS:0x0 ID:17318  DF
> **S***** Seq: 0x540140   Ack: 0x0   Win: 0x2000
> TCP Options => MSS: 536 NOP NOP SackOK
>
> [**] WinGate 8080 Attempt [**]
> 07/24-23:04:41.521379 194.87.6.147:3185 -> a.b.c.8:8080
> TCP TTL:120 TOS:0x0 ID:27302  DF
> **S***** Seq: 0x540140   Ack: 0x0   Win: 0x2000
> TCP Options => MSS: 536 NOP NOP SackOK
>
>
> The system trace below was found by a conseal firewall:
> 2000/07/27 9:15:19 PM GMT -0400: NDC 10/100 Fast E..[0001][No
> matching rule] Blocking outgoing TCP: src=24.114.my.ip,
> dst=194.87.6.27, sport=8080, dport=2418.
> 2000/07/27 9:15:22 PM GMT -0400: NDC 10/100 Fast E..[0001][Ref#
> 181] Blocking incoming connection attempt: src=194.87.6.27, local
> port 8080.