Re: Strange pings from 127.0.0.1

[Nelson Santos <nsantos () gmail com>]

I know you said the MAC address is also spoofed but this might help anyway:

From: Dan Hanson <dhanson at securityfocus.com>
To: incidents at securityfocus.com
Subject: Administrivia: Are you seeing portscans from source 127.0.0.1
source port 80?
Date: Tue, 28 Oct 2003 08:59:56 -0700

I am posting this in the hopes of dulling the 5-6 messages I get every day
that are reporting port scans to their network all of which have a source
IP of 127.0.0.1 and source port 80.

It is likely Blaster (check your favourite AV site for a writeup, I won't
summarize here).

The reason that people are seeing this has to do with some very bad advice
that was given early in the blaster outbreak. The advice basically was
that to protect the Internet from the DoS attack that was to hit
windowsupdate.com, all DNS servers should return 127.0.0.1 for queries to
windowsupdate.com. Essentially these suggestions were suggesting that
hosts should commit suicide to protect the Internet.

The problem is that the DoS routine spoofs the source address, so when
windowsupdate.com resolves to 127.0.0.1 the following happens.

Infected host picks address as source address and sends Syn packet to
127.0.0.1 port 80. (Sends it to itself) (This never makes it on the wire,
you will not see this part)

TCP/IP stack receives packet, responds with reset (if there is nothing
listening on that port), sending the reset to the host with the spoofed
source address (this is what people are seeing and mistaking for
portscans)

Result: It looks like a host is port scanning ephemeral posts using
packets with source address:port of 127.0.0.1:80

Solution: track back the packets by MAC address to find hte infected
machine. Turn off NS resolution of windowsupdate.com to 127.0.0.1.

Hope that helps

D

On Fri, 18 Jun 2004 15:06:42 -0700, Ranjeet Shetye
<ranjeet.shetye2 () zultys com> wrote:
> consider a packet of the type
>
> Eth_DST=Eth_A
> Eth_SRC=Eth_B
> Eth_Type=IP
> IP_Src=127.0.0.1
> IP_Dst=IP_D
>
> On Linux - packets from localhost to a local IP dont make it onto the
> network. Assuming the same to be the case on Windows, any target hosts
> (IP_D) that you see ICMPs for, are probably NOT the origin of THIS packet.
> This might help you narrow the possible sources of the traffic.
>
> Next, (assuming non-promiscuous mode of operation by the NIC) I fail to
> understand how the author of this attack intends to reach his/her targets,
> if the dest MAC addresses are fake! I might be missing something obvious,
> so if someone can point it out to me, that would be great. thanks.
>
> Instead of an attack, it might be that you have someone on your network
> who is learning socket or libnet programming, and is testing his/her
> networking coding skills on the corporate network. That might explain
> the non-existant destination MAC addresses - which I admit again, don't
> make a lot of sense to me.
>
> **Unless**, some kind of an ARP-poisoning scheme is being executed,
> so that switches are forced to forward all traffic on all ports cos their
> internal arp tables are messed up.
>
> In which case, maybe you need to lock down the arp tables in your managed
> switches, if you can.
>
> I am very curious about this traffic pattern, please let us know the
> answer once you've resolved it. thanks,
>
> --
> Ranjeet Shetye
> Senior Software Engineer
> Zultys Technologies
> Ranjeet dot Shetye at Zultys dot com
> http://www.zultys.com/
>
> The views, opinions, and judgements expressed in this message are solely those of
> the author. The message contents have not been reviewed or approved by Zultys.
>
> * Timothy Schwimer (tschwimer () hotmail com) wrote:
> > Not yet. Doesn't sound like you're having the same issue though. Mine is
> > all ICMP traffic, all sourced from the loopback, but destined to several
> > different host IP's.  In addition, the source and dest MAC are always the
> > same regardless of the IP's.
> > I'm fairly certain that I've got a compromised host, but with the source IP
> > being a loopback, I've got no way of deducing which host.
> >
> >
> > > From: Murad Talukdar <talukdar_m () subway com>
> > > To: Tim Schwimer <tschwimer () hotmail com>, security-basics () securityfocus com
> > > Subject: Re: Strange pings from 127.0.0.1
> > > Date: Fri, 18 Jun 2004 09:43:07 +1000
> > >
> > > I've been getting this on my router logs saying that the tcp got dropped.
> > > Source:127.0.0.1, 80, WAN - Destination:210.80.144.150, 1912, LAN -
> > > 'Suspicious TCP Data'
> > >
> > > Did you work out what it was with the pings? Not sure if it's similar or
> > > not.
> > >
> > > Murad Talukdar
> > >
> > >
> > > ----- Original Message -----
> > > From: "Tim Schwimer" <tschwimer () hotmail com>
> > > To: <security-basics () securityfocus com>
> > > Sent: Sunday, June 13, 2004 5:24 PM
> > > Subject: Re: Strange pings from 127.0.0.1
> > >
> > >
> > > > In-Reply-To: <GAEPLEDFDDGJLBGAABCNKENBCMAA.gg () stober mailsnare net>
> > > >
> > > > I started seeing the same thing on my DMZ segments this Friday afternoon
> > > at about 4:00pm (figures, huh??). Anyway, I was wondering what you found
> > > out
> > > about this. Any insight would be appreciated.
> > > > Thanks,
> > > > T
> > > > > Received: (qmail 20239 invoked from network); 14 May 2004 15:58:54
> > > -0000
> > > > > Received: from outgoing.securityfocus.com (HELO
> > > outgoing2.securityfocus.com) (205.206.231.26)
> > > > >  by mail.securityfocus.com with SMTP; 14 May 2004 15:58:54 -0000
> > > > > Received: from lists.securityfocus.com (lists.securityfocus.com
> > > [205.206.231.19])
> > > > > by outgoing2.securityfocus.com (Postfix) with QMQP
> > > > > id 4018A1437B0; Fri, 14 May 2004 17:53:53 -0600 (MDT)
> > > > > Mailing-List: contact security-basics-help () securityfocus com; run by
> > > ezmlm
> > > > > Precedence: bulk
> > > > > List-Id: <security-basics.list-id.securityfocus.com>
> > > > > List-Post: <mailto:security-basics () securityfocus com>
> > > > > List-Help: <mailto:security-basics-help () securityfocus com>
> > > > > List-Unsubscribe:
> > > <mailto:security-basics-unsubscribe () securityfocus com>
> > > > > List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
> > > > > Delivered-To: mailing list security-basics () securityfocus com
> > > > > Delivered-To: moderator for security-basics () securityfocus com
> > > > > Received: (qmail 13781 invoked from network); 13 May 2004 21:45:06
> > > -0000
> > > > > From: "Marc" <gg () stober mailsnare net>
> > > > > To: <security-basics () securityfocus com>
> > > > > Subject: Strange pings from 127.0.0.1
> > > > > Date: Thu, 13 May 2004 23:55:35 -0400
> > > > > Message-ID: <GAEPLEDFDDGJLBGAABCNKENBCMAA.gg () stober mailsnare net>
> > > > > MIME-Version: 1.0
> > > > > Content-Type: text/plain;
> > > > > charset="iso-8859-1"
> > > > > Content-Transfer-Encoding: 7bit
> > > > > X-Priority: 3 (Normal)
> > > > > X-MSMail-Priority: Normal
> > > > > X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
> > > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> > > > > Importance: Normal
> > > > >
> > > > >
> > > > > The networked applications I am responsbile for have been performing
> > > slowly.
> > > > > When I tried to run Ethereal on my computer, I found some odd ICMP echo
> > > > > request (ping) packets with a source IP of 127.0.01, to addresses both
> > > > > within our 192.168.1.* network as well as to random Internet addresses.
> > > The
> > > > > source and destination Mac addresses aren't anything I can associate
> > > with
> > > a
> > > > > computer on our network (and they're not the real Mac address of my
> > > > > computer), so I think maybe these packets are spoofed? Could this be
> > > some
> > > > > sort of virus or DOS attack somewhere within our network? I've haven't
> > > seen
> > > > > anything quite like this mentioned online anywhere.
> > > > >
> > > > > Thanks, Marc
> > > >
> > > > ---------------------------------------------------------------------------
> > > > > Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
> > > off
> > > > > any course! All of our class sizes are guaranteed to be 10 students or
> > > less
> > > > > to facilitate one-on-one interaction with one of our expert
> > > instructors.
> > > > > Attend a course taught by an expert instructor with years of
> > > in-the-field
> > > > > pen testing experience in our state of the art hacking lab. Master the
> > > skills
> > > > > of an Ethical Hacker to better assess the security of your
> > > organization.
> > > > > Visit us at:
> > > > > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > > >
> > > > ---------------------------------------------------------------------------
> > > -
> > > > >
> > > --------------------------------------------------------------------------
> > > -
> > > > Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
> > > off
> > > > any course! All of our class sizes are guaranteed to be 10 students or
> > > less
> > > > to facilitate one-on-one interaction with one of our expert instructors.
> > > > Attend a course taught by an expert instructor with years of
> > > in-the-field
> > > > pen testing experience in our state of the art hacking lab. Master the
> > > skills
> > > > of an Ethical Hacker to better assess the security of your organization.
> > > > Visit us at:
> > > > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > > --------------------------------------------------------------------------
> > > --
> > > >
> >
> > _________________________________________________________________
> > Watch the online reality show Mixed Messages with a friend and enter to win
> > a trip to NY
> > http://www.msnmessenger-download.click-url.com/go/onm00200497ave/direct/01/
> >
> >
> > ---------------------------------------------------------------------------
> > Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> > any course! All of our class sizes are guaranteed to be 10 students or less
> > to facilitate one-on-one interaction with one of our expert instructors.
> > Attend a course taught by an expert instructor with years of in-the-field
> > pen testing experience in our state of the art hacking lab. Master the
> > skills of an Ethical Hacker to better assess the security of your
> > organization. Visit us at:
> > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > ----------------------------------------------------------------------------
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------