Security Incidents mailing list archives
Malformed DNS or something odd (or just me)
From: Steven Trewick <STrewick () joplings co uk>
Date: Wed, 7 Apr 2004 14:44:59 +0100
Hi list, Over the last week or so I have seen what looks (to my untrained eye) like some kind of funky, malicious or malformed DNS traffic turning up at my network borders. I'd appreciate any light that anyone can shed upon the matter, largely to satisfy my morbid curiosity and craving for knowledge :-) It may be that this is entirely regular traffic, but it doesn't look like the kind of traffic I usually see on UDP port 53 (and as for the other ports...) Much of the action looks like this : 04/03-20:33:42.525759 62.253.119.103:41601 -> 192.168.0.88:53 UDP TTL:112 TOS:0x0 ID:53793 IpLen:20 DgmLen:40 Len: 12 01 02 00 07 D1 86 3F C3 26 14 01 00 ......?.&... To me this looks like a DNS query with no host name in it, but I am not quite up to speed on this yet, so I appreciate this may be incorrect. However, this usually comes paired with : 04/03-20:33:42.506542 62.253.119.103:41601 -> 192.168.0.88:5301 UDP TTL:112 TOS:0x0 ID:53537 IpLen:20 DgmLen:40 Len: 12 01 02 00 07 D1 86 3F C3 26 14 01 00 ......?.&... Which strikes me as a bit odd, being the same thing but with the obvious dest port tomfoolery (some kind of heinous misconfig ?) As time goes by, increasing amounts of oddness start to turn up via UDP packets, the destination ports of these are 53, 5301 and, for some reason, 30339. (Which correlates only because some of the packets contain exactly the same payload as those on udp ports 53 and 5301) Some of them contain quite large (non text) payloads ! The sources are mainly unique, there is only one host that sends more than one set of packets (scans that didn't get response ???) My apologies for posting so much data to the list, but I have been googling this backward and forward since 0700 GMT this morning with no useful results! Help me obe-list-kenobe, you're my only hope ;-) Herein follows the full packet dumps of weirdness. Possibly important background info : 1) the sensor is located in the DMZ of a network that offers no services at all to the outside world, apart from the occasional ACK/RST, all the traffic it receives is unsolicited. 2) The DNS service in the internal network is provided by a proxy service on the NAT router hosting the DMZ, and therefore any legit DNS traffic would be routed to/from 192.x.x.x addresses (Confirmed by sensor logs) 3) the ip of the NAT router is dynamically assigned, and does change for various reasons, but during the time these packets were recorded, it remained the same. (Confirmed from router and sensor logs). However, this was a recent shift, the day before this trace begins the router was living on a different ip within the same class B network. 4) none of the packets listed were actually delivered into the internal network, and there does not appear to be any correlating activity internally. Many of these packets were recorded when the sensor was the only powered machine on the network. 5) the sensor is a *nix box running snort, alerts were generated via an extremely simple set of research rules that catch and log anything that isn't explicitly recognised. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ** Unknown UDP ** [**] 04/03-20:33:42.506542 62.253.119.103:41601 -> 192.168.0.88:5301 UDP TTL:112 TOS:0x0 ID:53537 IpLen:20 DgmLen:40 Len: 12 01 02 00 07 D1 86 3F C3 26 14 01 00 ......?.&... [**] ** Unknown UDP ** [**] 04/03-20:33:42.525759 62.253.119.103:41601 -> 192.168.0.88:53 UDP TTL:112 TOS:0x0 ID:53793 IpLen:20 DgmLen:40 Len: 12 01 02 00 07 D1 86 3F C3 26 14 01 00 ......?.&... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ** Unknown UDP ** [**] 04/03-20:59:33.466087 172.166.14.38:19689 -> 192.168.0.88:53 UDP TTL:109 TOS:0x0 ID:43520 IpLen:20 DgmLen:40 Len: 12 01 02 00 07 D1 86 3F C3 26 14 01 00 ......?.&... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ** Unknown UDP ** [**] 04/03-21:26:41.210086 62.29.120.15:20578 -> 192.168.0.88:5301 UDP TTL:111 TOS:0x0 ID:7272 IpLen:20 DgmLen:36 Len: 8 01 01 00 B7 DA CB 3F 00 ......?. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ** Unknown UDP ** [**] 04/04-13:51:02.843781 82.41.169.142:3478 -> 192.168.0.88:5301 UDP TTL:115 TOS:0x0 ID:56342 IpLen:20 DgmLen:538 Len: 510 01 02 00 07 D1 86 3F C3 26 14 01 53 9F 94 AC CC ......?.&..S.... 35 00 D5 19 FE 84 35 00 C3 72 5F DB 35 00 18 6A 5.....5..r_.5..j 7E 8A 35 00 D4 59 6B 02 35 00 C3 4A A9 B8 35 00 ~.5..Yk.5..J..5. D3 72 B2 42 35 00 CC 1D DC 51 35 00 3E 41 EC C8 .r.B5....Q5.>A.. 35 00 D9 45 62 52 35 00 42 36 E5 43 35 00 D3 72 5..EbR5.B6.C5..r BE 92 35 00 C3 2B 0D 02 35 00 3E 4D 5B C2 35 00 ..5..+..5.>M[.5. 41 43 09 14 35 00 D4 7A A1 51 35 00 D3 61 85 97 AC..5..z.Q5..a.. 35 00 41 18 06 C4 35 00 43 5E 3A C5 35 00 CC 1D 5.A...5.C^:.5... DC F4 35 00 C3 2F 6C DA 35 00 C3 4A AA FC 35 00 ..5../l.5..J..5. C8 17 12 66 35 00 CC 1D DC FB 35 00 CC 1D DC 93 ...f5.....5..... 35 00 CC 1D DC E2 35 00 C3 6D 9C C3 35 00 C8 18 5.....5..m..5... D4 16 35 00 CC 1B BC FC 35 00 C8 67 8E 08 35 00 ..5.....5..g..5. D8 66 A7 DE 35 00 18 19 04 86 35 00 D3 72 BE E2 .f..5.....5..r.. 35 00 D4 3F 49 12 35 00 D4 7D 68 42 35 00 D3 39 5..?I.5..}hB5..9 D6 72 35 00 42 3C 85 98 35 00 D3 72 BE AA 35 00 .r5.B<..5..r..5. D5 46 6C 03 35 00 C0 66 FD 46 35 00 C3 4D 61 84 .Fl.5..f.F5..Ma. 35 00 CC 1D DC 16 35 00 9D 19 89 12 35 00 D5 5B 5.....5.....5..[ 88 9C 35 00 C8 17 12 67 35 00 CC 1D DC 08 35 00 ..5....g5.....5. 41 18 06 E6 35 00 C8 17 12 A3 35 00 D4 7A A1 49 A...5.....5..z.I 35 00 CF 0A AA 01 35 00 CB 1B 1E E3 35 00 50 37 5.....5.....5.P7 B2 52 35 00 D3 39 D9 9D 35 00 41 18 06 E4 35 00 .R5..9..5.A...5. D1 8B FB B4 35 00 D5 19 EC 72 35 00 D3 72 B2 82 ....5....r5..r.. 35 00 C3 4A A9 D6 35 00 C3 4A A9 F2 35 00 50 37 5..J..5..J..5.P7 A0 EA 35 00 CB 1B 1E E0 35 00 D4 7A A1 CA 35 00 ..5.....5..z..5. C8 36 A9 42 35 00 D3 72 BE C2 35 00 50 30 C8 03 .6.B5..r..5.P0.. 35 00 D3 39 DD D9 35 00 D5 4C 81 62 35 00 CC 1D 5..9..5..L.b5... DC 74 35 00 D4 7A 2A 03 35 00 D4 7A A1 CC 35 00 .t5..z*.5..z..5. 40 1A A9 C2 35 00 D2 1A 90 82 35 00 CB 1B 1E EC @...5.....5..... 35 00 CC 1D DC 34 35 00 CC 1D DC 0E 35 00 CC 1D 5....45.....5... DC 7E 35 00 D9 45 62 5A 35 00 41 55 F0 8A 35 00 .~5..EbZ5.AU..5. D5 46 6C 02 35 00 CA 63 1E 52 35 00 D4 7A A7 81 .Fl.5..c.R5..z.. 35 00 CB 1B 1E E5 35 00 D5 19 FE FD 35 00 5.....5.....5. [**] ** Unknown UDP ** [**] 04/04-13:51:02.852266 82.41.169.142:3478 -> 192.168.0.88:5301 UDP TTL:115 TOS:0x0 ID:56598 IpLen:20 DgmLen:538 Len: 510 01 02 00 07 D1 86 3F C3 26 14 01 53 89 5C 61 07 ......?.&..S.\a. 35 00 C1 4D 9E 32 35 00 43 5E 3A C3 35 00 D8 66 5..M.25.C^:.5..f A7 BE 35 00 D3 39 DD C3 35 00 18 78 2A 02 35 00 ..5..9..5..x*.5. CC 1D DC 66 35 00 C3 4A AB 53 35 00 D9 45 62 5C ...f5..J.S5..Eb\ 35 00 41 18 06 E8 35 00 C0 75 A5 A3 35 00 CC 1D 5.A...5..u..5... DC DB 35 00 C3 4A A9 6B 35 00 C3 29 07 D0 35 00 ..5..J.k5..)..5. C3 38 B5 7D 35 00 C1 44 27 01 35 00 D9 05 B4 81 .8.}5..D'.5..... 35 00 A4 4D D3 C8 35 00 CE 42 F1 C8 35 00 50 31 5..M..5..B..5.P1 17 98 35 00 D9 7A 61 BF 35 00 D9 60 F4 23 35 00 ..5..za.5..`.#5. 40 1A A9 1E 35 00 D9 60 0B 62 35 00 43 5E 3A C4 @...5..`.b5.C^:. 35 00 44 0F A8 07 35 00 CB 6A 5B D2 35 00 D4 6A 5.D...5..j[.5..j 86 2E 35 00 50 37 BD 4E 35 00 D3 39 D6 9A 35 00 ..5.P7.N5..9..5. 94 51 F4 05 35 00 C3 41 2A 03 35 00 D4 3B 1E 85 .Q..5..A*.5..;.. 35 00 CC 1D DC 27 35 00 C3 4A A9 7B 35 00 CC 1D 5....'5..J.{5... DC 40 35 00 C3 4A A9 12 35 00 3E 49 63 6D 35 00 .@5..J..5.>Icm5. 3D 64 85 46 35 00 D3 72 C4 9D 35 00 D9 45 62 5D =d.F5..r..5..Eb] 35 00 42 7C 3F C2 35 00 C3 4A AA 62 35 00 C3 4A 5.B|?.5..J.b5..J A9 33 35 00 C2 52 EF 02 35 00 C3 29 07 CC 35 00 .35..R..5..)..5. 3E 99 C8 EA 35 00 D3 72 B2 6A 35 00 18 78 2A 15 >...5..r.j5..x*. 35 00 C3 67 EA 03 35 00 41 18 06 C2 35 00 C3 4A 5..g..5.A...5..J A9 D5 35 00 82 5E A2 89 35 00 D3 72 BE 52 35 00 ..5..^..5..r.R5. 18 19 04 7C 35 00 41 18 06 EE 35 00 C3 4A AA 53 ...|5.A...5..J.S 35 00 C3 4A A9 BA 35 00 CB 1B 1E E9 35 00 40 4B 5..J..5.....5.@K BC DA 35 00 51 07 4A E3 35 00 C3 4A A9 76 35 00 ..5.Q.J.5..J.v5. 50 35 A0 4C 35 00 C3 4A AA 4E 35 00 D2 52 33 63 P5.L5..J.N5..R3c 35 00 C3 75 AE 82 35 00 C3 4A A9 6F 35 00 C0 75 5..u..5..J.o5..u A5 A2 35 00 50 31 74 58 35 00 D5 4D BC 7E 35 00 ..5.P1tX5..M.~5. C3 4A AB 87 35 00 3E 4D 5B 0A 35 00 C3 4A A8 F3 .J..5.>M[.5..J.. 35 00 40 73 94 98 35 00 CE 42 24 C2 35 00 44 9D 5.@s..5..B$.5.D. AB 05 35 00 C1 FB 28 C9 35 00 C8 48 1F A2 35 00 ..5...(.5..H..5. C2 2F 5E 44 35 00 3F 7B A4 6B 35 00 C8 36 B3 33 ./^D5.?{.k5..6.3 35 00 CB 7C 8A C4 35 00 C0 4C 9D 09 35 00 5..|..5..L..5. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ** Unknown UDP ** [**] 04/04-15:45:39.331413 200.52.217.103:17586 -> 192.168.0.88:5301 UDP TTL:106 TOS:0x0 ID:40964 IpLen:20 DgmLen:49 Len: 21 01 03 00 FE D0 84 3F 26 00 08 C3 26 14 01 01 18 ......?&...&.... 52 22 46 49 5A R"FIZ [**] ** Unknown UDP ** [**] 04/04-15:45:39.331430 200.52.217.103:17586 -> 192.168.0.88:5301 UDP TTL:106 TOS:0x0 ID:41220 IpLen:20 DgmLen:49 Len: 21 01 03 00 FE D0 84 3F 26 00 08 C3 26 14 01 01 18 ......?&...&.... 52 22 46 49 5A R"FIZ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ** Unknown UDP ** [**] 04/04-16:29:35.844956 68.108.151.154:13583 -> 192.168.0.88:5301 UDP TTL:107 TOS:0x0 ID:48713 IpLen:20 DgmLen:46 Len: 18 01 02 00 07 D1 86 3F C3 26 14 01 01 40 20 C6 3E ......?.&...@ .> 35 00 5. [**] ** Unknown UDP ** [**] 04/04-16:29:35.846179 68.108.151.154:13583 -> 192.168.0.88:5301 UDP TTL:107 TOS:0x0 ID:48714 IpLen:20 DgmLen:46 Len: 18 01 02 00 07 D1 86 3F C3 26 14 01 01 40 20 C6 3E ......?.&...@ .> 35 00 5. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ** Unknown UDP ** [**] 04/04-17:19:35.075968 65.235.142.247:30099 -> 192.168.0.88:53 UDP TTL:106 TOS:0x0 ID:41812 IpLen:20 DgmLen:40 Len: 12 01 02 00 07 D1 86 3F C3 26 14 01 00 ......?.&... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ** Unknown UDP ** [**] 04/04-17:24:32.152380 172.128.205.42:11666 -> 192.168.0.88:5301 UDP TTL:109 TOS:0x0 ID:4160 IpLen:20 DgmLen:40 Len: 12 01 02 00 07 D1 86 3F C3 26 14 01 00 ......?.&... [**] ** Unknown UDP ** [**] 04/04-17:24:32.160026 172.128.205.42:11666 -> 192.168.0.88:5301 UDP TTL:109 TOS:0x0 ID:4161 IpLen:20 DgmLen:40 Len: 12 01 02 00 07 D1 86 3F C3 26 14 01 00 ......?.&... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ** Unknown UDP ** [**] 04/04-17:31:56.486199 80.9.89.99:10352 -> 192.168.0.88:53 UDP TTL:108 TOS:0x0 ID:17451 IpLen:20 DgmLen:40 Len: 12 01 02 00 07 D1 86 3F C3 26 14 01 00 ......?.&... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ** Unknown UDP ** [**] 04/05-19:30:53.683363 83.152.103.217:4404 -> 192.168.0.88:5301 UDP TTL:110 TOS:0x0 ID:14618 IpLen:20 DgmLen:40 Len: 12 01 02 00 07 D1 86 3F C3 26 14 01 00 ......?.&... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ** Unknown UDP ** [**] 04/05-21:15:33.571071 80.160.229.106:21047 -> 192.168.0.88:30339 UDP TTL:110 TOS:0x0 ID:37144 IpLen:20 DgmLen:106 Len: 78 01 02 00 07 D1 86 3F C3 26 14 01 0B C3 4C 06 03 ......?.&....L.. 35 00 C1 FB 5B 1C 35 00 D1 63 E0 06 35 00 D0 39 5...[.5..c..5..9 6B 83 35 00 D8 BB F5 29 35 00 C8 0D E4 F2 35 00 k.5....)5.....5. A5 62 0C 04 35 00 D4 3B 06 C2 35 00 CB 4D E6 E4 .b..5..;..5..M.. 35 00 C3 2F 26 12 35 00 42 5B 8C 1B 35 00 5../&.5.B[..5. [**] ** Unknown UDP ** [**] 04/05-21:15:33.575523 80.160.229.106:21047 -> 192.168.0.88:53 UDP TTL:110 TOS:0x0 ID:37400 IpLen:20 DgmLen:106 Len: 78 01 02 00 07 D1 86 3F C3 26 14 01 0B C3 4C 06 03 ......?.&....L.. 35 00 C1 FB 5B 1C 35 00 D1 63 E0 06 35 00 D0 39 5...[.5..c..5..9 6B 83 35 00 D8 BB F5 29 35 00 C8 0D E4 F2 35 00 k.5....)5.....5. A5 62 0C 04 35 00 D4 3B 06 C2 35 00 CB 4D E6 E4 .b..5..;..5..M.. 35 00 C3 2F 26 12 35 00 42 5B 8C 1B 35 00 5../&.5.B[..5. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ** Unknown UDP ** [**] 04/06-18:20:45.410884 172.190.203.135:15536 -> 192.168.0.88:53 UDP TTL:114 TOS:0x0 ID:46113 IpLen:20 DgmLen:40 Len: 12 01 02 00 07 D1 86 3F C3 26 14 01 00 ......?.&... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ** Unknown UDP ** [**] 04/06-18:42:38.668254 68.108.151.154:13583 -> 192.168.0.88:5301 UDP TTL:107 TOS:0x0 ID:24694 IpLen:20 DgmLen:40 Len: 12 01 02 00 07 D1 86 3F C3 26 14 01 00 ......?.&... [**] ** Unknown UDP ** [**] 04/06-18:42:38.672874 68.108.151.154:13583 -> 192.168.0.88:53 UDP TTL:107 TOS:0x0 ID:24695 IpLen:20 DgmLen:40 Len: 12 01 02 00 07 D1 86 3F C3 26 14 01 00 ......?.&... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ** Unknown UDP ** [**] 04/06-19:44:45.549518 193.198.146.51:20329 -> 192.168.0.88:30339 UDP TTL:108 TOS:0x0 ID:5682 IpLen:20 DgmLen:40 Len: 12 01 02 00 07 D1 86 3F C3 26 14 01 00 ......?.&... [**] ** Unknown UDP ** [**] 04/06-19:44:45.558207 193.198.146.51:20329 -> 192.168.0.88:30339 UDP TTL:108 TOS:0x0 ID:5683 IpLen:20 DgmLen:40 Len: 12 01 02 00 07 D1 86 3F C3 26 14 01 00 ......?.&... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ** Unknown UDP ** [**] 04/06-20:22:31.856639 24.213.243.68:9246 -> 192.168.0.88:5301 UDP TTL:110 TOS:0x0 ID:33041 IpLen:20 DgmLen:100 Len: 72 01 02 00 07 D1 86 3F C3 26 14 01 0A D0 B1 C1 33 ......?.&......3 35 00 D4 21 23 6E 35 00 40 3B 3C 1E 35 00 42 2B 5..!#n5.@;<.5.B+ 85 F2 35 00 97 63 F8 4B 35 00 D1 2C 91 D2 35 00 ..5..c.K5..,..5. D1 2C 91 F0 35 00 18 7F B1 C9 35 00 D1 2C 91 EF .,..5.....5..,.. 35 00 D5 1C 83 D2 35 00 5.....5. [**] ** Unknown UDP ** [**] 04/06-20:22:31.862015 24.213.243.68:9246 -> 192.168.0.88:53 UDP TTL:110 TOS:0x0 ID:33042 IpLen:20 DgmLen:100 Len: 72 01 02 00 07 D1 86 3F C3 26 14 01 0A D0 B1 C1 33 ......?.&......3 35 00 D4 21 23 6E 35 00 40 3B 3C 1E 35 00 42 2B 5..!#n5.@;<.5.B+ 85 F2 35 00 97 63 F8 4B 35 00 D1 2C 91 D2 35 00 ..5..c.K5..,..5. D1 2C 91 F0 35 00 18 7F B1 C9 35 00 D1 2C 91 EF .,..5.....5..,.. 35 00 D5 1C 83 D2 35 00 5.....5. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ </code> The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only. If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. joplings.co.uk --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 ----------------------------------------------------------------------------
Current thread:
- Malformed DNS or something odd (or just me) Steven Trewick (Apr 09)
- RE: Malformed DNS or something odd (or just me) James C Slora Jr (Apr 10)
- Heads up: Looks like MS04-011 exploit is being tried against www.domain James Riden (Apr 27)