Security Incidents mailing list archives
POSSIBLE WORM / DDOS ?
From: "Eric Weaver" <eric.weaver () ids2 net>
Date: Fri, 5 Apr 2002 06:59:41 -0800
POSSIBLE WORM / DDOS Appears to be target port 21 and/or spreading via SMB. This is all I have right now: tcpdump: 06:29:17.078874 10.2.2.241.1890 > 204.152.189.113.21: S 3272713560:3272713560(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:29:20.081771 10.2.2.241.1891 > 204.152.189.113.21: S 3273527112:3273527112(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:29:23.087434 10.2.2.241.1892 > 209.250.0.132.21: S 3274340020:3274340020(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:29:26.089861 10.2.2.241.1893 > 209.250.0.132.21: S 3275149251:3275149251(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:29:29.301291 10.2.2.241.1028 > 10.2.2.14.53: 161+ A? hawking.res.cmu.edu. (37) 06:29:29.302121 10.2.2.14.53 > 10.2.2.241.1028: 161 NXDomain 0/1/0 (118) (DF) 06:30:29.836128 10.2.2.241.1938 > 198.133.219.27.21: S 3293275935:3293275935(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:30:32.782191 10.2.2.241.1939 > 62.243.72.50.21: S 3294076486:3294076486(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:30:35.786356 10.2.2.241.1940 > 129.128.5.191.21: S 3294859714:3294859714(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:30:38.690326 10.2.2.241.1941 > 66.26.238.15.21: S 3295637385:3295637385(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:30:51.775416 10.2.2.241.1956 > 204.152.189.113.21: S 3299451469:3299451469(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:30:54.804154 10.2.2.241.1957 > 216.10.106.189.21: S 3300252651:3300252651(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:30:57.712465 10.2.2.241.1958 > 204.152.189.113.21: S 3301052975:3301052975(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:31:00.716285 10.2.2.241.1959 > 204.152.189.113.21: S 3301854583:3301854583(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:31:03.721980 10.2.2.241.1960 > 209.250.0.132.21: S 3302638469:3302638469(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:31:06.725382 10.2.2.241.1961 > 209.250.0.132.21: S 3303448449:3303448449(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:31:13.857898 10.2.2.241.1984 > 206.100.24.34.21: S 3306270291:3306270291(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:31:16.836273 10.2.2.241.1985 > 206.100.24.34.21: S 3307075111:3307075111(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:32:02.060208 10.2.2.241.2004 > 198.133.219.27.21: S 3319333584:3319333584(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:32:05.056510 10.2.2.241.2005 > 62.243.72.50.21: S 3320119259:3320119259(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:32:08.009097 10.2.2.241.2006 > 129.128.5.191.21: S 3320930893:3320930893(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:32:11.013294 10.2.2.241.2007 > 66.26.238.15.21: S 3321738567:3321738567(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:32:23.459155 10.2.2.241.2024 > 204.152.189.113.21: S 3325545579:3325545579(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:32:26.462660 10.2.2.241.2025 > 216.10.106.189.21: S 3326338384:3326338384(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:32:29.433905 10.2.2.241.2026 > 204.152.189.113.21: S 3327134151:3327134151(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:32:32.436725 10.2.2.241.2027 > 204.152.189.113.21: S 3327941671:3327941671(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:32:35.443518 10.2.2.241.2028 > 209.250.0.132.21: S 3328724549:3328724549(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:32:38.444911 10.2.2.241.2029 > 209.250.0.132.21: S 3329535547:3329535547(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 06:32:45.491534 10.2.2.241.2052 > 206.100.24.34.21: S 3332310269:3332310269(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) Packet dump: offset 0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef 00000000 <d4>c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00 Ôò¡............ 00000010 dc 05 00 00 01 00 00 00 62 b5 ad 3c 30 eb 00 00 Ü.......bµ<0ë.. 00000020 3e 00 00 00 3e 00 00 00 00 00 0c 4a 39 83 00 20 >...>......J9.. 00000030 78 05 b5 08 08 00 45 00 00 30 31 62 40 00 80 06 x.µ...E..01b@... 00000040 1a d2 0a 02 02 f1 c6 85 db 1b 07 d4 00 15 c5 d9 .Ò...ñÆ.Û..Ô..ÅÙ 00000050 02 d0 00 00 00 00 70 02 40 00 c3 f8 00 00 02 04 .Ð....p.@.Ãø.... 00000060 05 b4 01 01 04 02 .´.... Netstat of the infected machine: TCP 10.2.2.241:1993 10.2.2.241:139 TIME_WAIT TCP 10.2.2.241:1994 10.2.2.250:445 TIME_WAIT TCP 10.2.2.241:1996 10.2.2.250:445 TIME_WAIT TCP 10.2.2.241:1998 10.2.2.250:445 TIME_WAIT TCP 10.2.2.241:2006 129.128.5.191:21 SYN_SENT UDP 0.0.0.0:135 *:* UDP 0.0.0.0:445 *:* UDP 0.0.0.0:1026 *:* UDP 0.0.0.0:1027 *:* (a few seconds later, multiple connections to other SMB shares) TCP 10.2.2.241:2016 10.2.2.250:445 TIME_WAIT TCP 10.2.2.241:2018 10.2.2.250:445 TIME_WAIT TCP 10.2.2.241:2020 10.2.2.250:445 TIME_WAIT TCP 10.2.2.241:2032 10.2.2.250:445 TIME_WAIT TCP 10.2.2.241:2034 10.2.2.250:445 TIME_WAIT TCP 10.2.2.241:2036 10.2.2.250:445 TIME_WAIT TCP 10.2.2.241:2038 10.2.2.250:445 TIME_WAIT TCP 10.2.2.241:2040 10.2.2.250:445 TIME_WAIT TCP 10.2.2.241:2042 10.2.2.250:445 TIME_WAIT TCP 10.2.2.241:2044 10.2.2.250:445 TIME_WAIT TCP 10.2.2.241:2046 10.2.2.250:445 TIME_WAIT TCP 10.2.2.241:2048 10.2.2.250:445 TIME_WAIT TCP 10.2.2.241:2050 10.2.2.250:445 TIME_WAIT TCP 10.2.2.241:2054 10.2.2.250:445 TIME_WAIT Eric Weaver IDS2.net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- POSSIBLE WORM / DDOS ? Eric Weaver (Apr 05)
- <Possible follow-ups>
- RE: POSSIBLE WORM / DDOS ? McCammon, Keith (Apr 05)