Full Disclosure mailing list archives
Fwd: [martini () invision net - W32/Sobig-F - Halflife correlation ???]
From: David Hamilton <dhamilton () voyager net>
Date: Sat, 23 Aug 2003 13:01:33 -0400
Interesting thread from another list..... A few people are seeing this.... ----- Forwarded message from Matt Martini <martini () invision net> ----- Delivered-To: nanog-outgoing () trapdoor merit edu Delivered-To: nanog () trapdoor merit edu Delivered-To: nanog () merit edu Date: Fri, 22 Aug 2003 20:50:30 -0400 (EDT) From: Matt Martini <martini () invision net> Reply-To: "Matthew E. Martini" <martini () invision net> To: North American Network Operators Group <nanog () merit edu> Subject: W32/Sobig-F - Halflife correlation ??? Precedence: bulk Errors-To: owner-nanog-outgoing () merit edu X-Loop: nanog X-Spam-Rating: 0.0000000000% I've scanned my Netflow logs for activity associated with the 20 machines that SoBig was targeting and I found some very curious activity. I routed traffic to these 20 ips to Null0. At 3:09 I started getting traffic from 10 of the 20 machines to a Halflife server on my network. This continued until 6:14pm. The conversations could not be productive because of my Null route, but what were these machines trying to do? Even more interesting is the fact that these machines were supposed to be shutdown before 3:00. How could they be sending data to this halflife server? I suspect that the addresses are spoofed, but to what end? Are there any halflife vunerabilies that the virus writers are using? It just seems like too much of a coincidence that 10 out of 20 machines were hitting this server. I have the original Netflow data and the complete logs. Below is a sample of what I was seeing. Port 27015 is the normal Halflife port. Anyone have any ideas? or seeing anything similar? Read: Date,Time,SrcIP,SrcPort,DstIP,DstPort,Protocol,Packets,Bytes 2003/08/22 15:09:54 67.73.21.6.50416 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:00 12.232.104.221.64550 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:03 61.38.187.59.43445 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:07 67.9.241.67.17414 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:09 63.250.82.87.2956 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:12 24.197.143.132.18637 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:23 61.38.187.59.64072 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:31 67.73.21.6.27900 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:39 65.177.240.194.1448 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:46 63.250.82.87.33876 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:11:16 65.177.240.194.40713 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:11:18 61.38.187.59.58060 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:11:25 24.197.143.132.4336 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:11:40 67.9.241.67.6812 -> XXX.XXX.XXX.XXX.27015 17 1 37 [...] 2003/08/22 18:13:27 65.95.193.138.11565 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:31 12.232.104.221.32662 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:35 61.38.187.59.28106 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:37 24.33.66.38.19736 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:38 67.9.241.67.51452 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:46 65.95.193.138.46930 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:53 61.38.187.59.16641 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:59 63.250.82.87.56358 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:14:09 12.232.104.221.19923 -> XXX.XXX.XXX.XXX.27015 17 1 37 Total = 1751 flows from 15:09:54 to 18:14:09 Servers hitting the Halflife machine ------------------------------------ 12.232.104.221 24.33.66.38 24.197.143.132 24.202.91.43 61.38.187.59 63.250.82.87 65.95.193.138 65.177.240.194 67.9.241.67 67.73.21.6 __________________________ http://www.invision.net/ _______________________ Matthew E. Martini, PE InVision.com, Inc. (631) 543-1000 x104 Chief Technology Officer matt () invision net (631) 864-8896 Fax _______________________________________________________________________pgp_ ----- End forwarded message ----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Fwd: [martini () invision net - W32/Sobig-F - Halflife correlation ???] David Hamilton (Aug 23)