Re: shaft client to handler?

[Neil Dickey <neil () geol niu edu>]

You wrote to the Incidents list:

> I got these message from my Snort sensor earlier today ... it
> shouldn't be valid traffic.

I'm not sure on the face of it why you think this shouldn't be valid
traffic.  The target port is a high number port not normally associated
with any particular software package, and therefore available for
assignment to be used as needed.

> Also, in the several hours previous, I've
> been seeing lots of large ICMP packets and "Communication
> Administratively Prohibited" traffic to various hosts on the internal
> network.

These sorts of things are normal in my experience.  I'm assuming that
these packets are coming from the internet to hosts in your internal
net.  If they are exchanged between hosts in your internal net, then
there is a problem of some sort.

> Have I potentially been compromised, or is this "scatter" traffic"?

There isn't enough information to make a judgement on whether or not
you have been compromised.  If the Snort rule which tripped these
alerts is similar to the one I have seen, *any* traffic to port 20432
will trip it, regardless of content.  Rules of this sort are prone to
false alarms.

If you aren't running it already, I suggest you examine the program
"Tripwire" on the Computer Emergency Response Team ( Cert ) website.
Used properly, it can tell you in a few minutes whether anything has
changed on your system, *but* you must have it installed and initialized
on a known-clean system *before* a suspected compromise occurs and you
need to use it.

What looks interesting to me are the source ports for the packets:

> Jan 21 15:51:45 hostname snort: [1:230:1] DDOS shaft client to handler
> [Classification: Attempted Denial of Service] [Priority: 2]: {TCP}
> 216.227.124.82:76 -> x.x.x.x:20432

Port 76 is associated with 'finger'.

> Jan 21 15:51:46 hostname snort: [1:230:1] DDOS shaft client to handler
> [Classification: Attempted Denial of Service] [Priority: 2]: {TCP}
> 216.227.124.82:20 -> x.x.x.x:20432

Port 20 is the 'ftp' data transfer port.

Spaced about a second apart as they are, this could have been a scan of
some sort or another looking for a trojan ( Shaft? ) listening on that
port.  It also seems possible from the information given that it may
have been part of a passive FTP session.  I think that possibility is
remote, however, because I don't know why 'finger' would be involved.

You only seem to have posted part of the alert log.  Was this a SYN
packet?  SYN-FIN?  ACK-PUSH?  Was there a payload?  If so, what did it
have in it?

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com