Security Incidents mailing list archives
Re(2): Help with an odd log file...
From: Ken Eichman <keichman () cas org>
Date: Mon, 9 Jun 2003 15:58:52 -0400 (EDT)
From: "James C. Slora Jr." <Jim.Slora () phra com> Date: Sat, 07 Jun 2003 21:29:27 -0400 Please forgive my rambling below - I'm all hyped up because I've been looking at something similar and it looks like something big is happening under our noses.
I agree. The few feelers I put out about this have fallen on deaf ears so I've been sitting on this for a couple of weeks, watching it slowly grow to its present volume of one of these random SYNs almost every second against our /16.
My working hypothesis is that the primary probe source is completely spoofed and is some sort of homing signal for a complex trojan. The oddball probes are probably not spoofed and are possibly the agents of the actual abusers. The "agents" have all been dialup or cable modem systems (probably owned), except the primary prober that is spoofing the address of a very large semi-government agency.
We're seeing a around 100-200 "agents" (as you call them) here. I also concluded that the one-to-one source-to-destination probers are spoofed (i.e, your "primary prober"),and I've been looking at the one-to-many probers ("agents") as the interesting traffic. Presently each of these ~100 probers are our /16 network anywhere from once/minute (the most active prober) to once every 1-3 hours. As you found, these addresses are dominated by cable/DSL/broadband providers. Another common thread is that many (but not all) of them have open netbios port(s), primarily 135/tcp.
I also can't help but wonder if this traffic might be related to the stateless Code Red middle packets being logged widely and some Code Red infections that people are reporting inside hardened systems. A Q-like trojan could possibly have been triggered by the packets to start sending Code Red packets even though IIS had been hardened. Maybe someone who has had this happen could review their logs and compare sequence and IDs on packets from the source they believe compromised them with a stateless 2nd packet only of Code Red. If those sequence and IDs correlate with other anomolous packets, that might establish a link.
FWIW so far I haven't found any IIS servers running in the "agent" group. Ken Eichman Senior Scientist Chemical Abstracts Service IT Information Security 2540 Olentangy River Road 614-447-3600 ext. 3230 Columbus, OH 43210 keichman () cas org ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Help with an odd log file... sec_slave (Jun 03)
- Re: Help with an odd log file... morning_wood (Jun 04)
- Re: Help with an odd log file... Fabio Panigatti (Jun 05)
- Re: Help with an odd log file... Fabio Panigatti (Jun 10)
- <Possible follow-ups>
- RE: Help with an odd log file... Brad Bemis (Jun 05)
- Re: Help with an odd log file... sec_slave (Jun 05)
- RE: Help with an odd log file... Golden Faron P Contr HQ SSG/SWSN (Jun 09)
- Re(2): Help with an odd log file... Ken Eichman (Jun 09)
- Re: Help with an odd log file... James C. Slora Jr. (Jun 09)
- Re(2): Help with an odd log file... Ken Eichman (Jun 10)
- Re: Help with an odd log file... James C. Slora Jr. (Jun 12)
- Re(2): Help with an odd log file... Ken Eichman (Jun 10)
- Re: Help with an odd log file... James C. Slora Jr. (Jun 10)