Security Incidents mailing list archives

Re: Kuang2 strikes again, is it just me?

From: Paul Dokas <dokas () cs umn edu>
Date: Mon, 17 Feb 2003 11:57:34 -0600

On Sat, 15 Feb 2003 23:02:48 -0500 "Rob Shein" <shoten () starpower net> wrote:

Ah, a honeypot...a good question comes to mind.  Does anyone have any info
on what a Kuang2 backdoor looks like to a scanner?  I'd rather not install
one myself and work to figure it out if anyone else has done the work
already...


I just caught one on one of my /16 networks.  I noticed the machine because it created
several GB of IP Protocol 255 traffic last night aimed as a cablemodem.  Here's what an
NMAP of the machine looks like:

  (The 65528 ports scanned but not shown below are in state: closed)
  Port       State       Service (RPC)
  80/tcp     filtered    http
  135/tcp    open        loc-srv
  139/tcp    open        netbios-ssn
  445/tcp    open        microsoft-ds
  1025/tcp   open        NFS-or-IIS
  5000/tcp   open        UPnP
  17300/tcp  open        unknown
  Remote OS guesses: Windows Millennium Edition (Me), Win 2000, or WinXP, MS Windows2000 Professional RC1/W2K Advance 
Server Beta3

It's definitely got Kuang2 on it:

  % telnet 128.101.X.Y 17300
  Trying 128.101.X.Y...
  Connected to XXXXXXXXX.umn.edu.
  Escape character is '^]'.
  YOK2BENNY°ùR>õõwè       >>6>ùR ûR$øw U÷wÿÿõõwÍõwõw-ww(üRwh% 

And, Nessus flags 17300/TCP as Kuang2.

Grabbing some traffic to/from the machine, it appears to only be doing
IRC at the moment:

  11:45:44.910196 209.126.161.29.ircd > XXXXXXXX.umn.edu.4171: P 1153785951:1153786075(124) ack 8633779 win 32120 (DF)
  11:45:45.095084 XXXXXXXX.umn.edu.4171 > 209.126.161.29.ircd: . ack 124 win 17209 (DF)
  11:45:49.530129 209.126.161.29.ircd > XXXXXXXX.umn.edu.4171: P 124:206(82) ack 1 win 32120 (DF)
  11:45:49.705017 XXXXXXXX.umn.edu.4171 > 209.126.161.29.ircd: . ack 206 win 17127 (DF)

Dumping the TCP session shows traffic in the channel:

  :Nosibvyzt!~Nosibvyzt () pc1-nfds2-6-cust10 nott cable ntl com JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :wolhglsli!~wolhglsli@195.175.79.42 QUIT :Read error: 104 (Connection reset by peer)^M
  :Skrcgirl!~Skrcgirl () Morristown-68-118-83-195 chartertn net JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :Rbizcoced!~Rbizcoced () dhcp024-210-152-184 woh rr com QUIT :Ping timeout: 600 seconds^M
  :Kadisfutr!~Kadisfutr@211.191.2.117 QUIT :Ping timeout: 600 seconds^M
  :mskspwn!~mskspwn@195.175.78.105 QUIT :Read error: 104 (Connection reset by peer)^M
  :Woicdonic!~Woicdonic () usr3152-edi blueyonder co uk JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :mlkaglali!~mlkaglali () pcp01975916pcs essex01 md comcast net QUIT :Read error: 104 (Connection reset by peer)^M
  :Rosjhgly!~Rosjhgly@211.178.173.154 JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :Sscpceih!~Sscpceih () cable1-137 shenhgts net JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :Diencoke!~Diencoke@211.222.186.221 QUIT :Ping timeout: 600 seconds^M
  :Mikemlyt!~Mikemlyt@211.198.127.78 JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :Kiwnpdti!~Kiwnpdti () 12-252-81-85 client attbi com JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :Mixeboyz!~Mixeboyz () c-97e472d5 038-85-73746f37 cust bredbandsbolaget se JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :Aglfsoush!~Aglfsoush () pm3-2-210 htg net JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :rarmnyj!~rarmnyj () N896P020 adsl highway telekom at QUIT :Read error: 104 (Connection reset by peer)^M
  :Migegtki!~Migegtki () pcp03043874pcs andrsn01 tn comcast net QUIT :Ping timeout: 600 seconds^M
  :Niwfmlnep!~Niwfmlnep () pD9E510BD dip t-dialin net QUIT :Ping timeout: 600 seconds^M
  :kirmrao!~kirmrao () user-1694 bbd18tcl dsl pol co uk QUIT :Ping timeout: 600 seconds^M
  :Radicolwi!~Radicolwi@61.84.62.133 QUIT :Ping timeout: 600 seconds^M
  :Rhcvmicha!~Rhcvmicha () HSE-London-ppp208618 sympatico ca JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :radieilha!~radieilha () adsl-153-99-155 mia bellsouth net JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :Oaycboy!~Oaycboy () CZ1-RAS-1-u-0078 du onolab com QUIT :Ping timeout: 600 seconds^M
  :garcpiche!~garcpiche () ASte-Genev-Bois-111-1-1-161 abo wanadoo fr QUIT :Ping timeout: 600 seconds^M
  :Siepslu!~Siepslu () cable-213-132-151-242 upc chello be QUIT :Ping timeout: 600 seconds^M
  :Stmpsoueh!~Stmpsoueh () physp2 physx u-szeged hu QUIT :Read error: 104 (Connection reset by peer)^M
  :Siepslu!~Siepslu () cable-213-132-151-242 upc chello be JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :Tirxplt!~Tirxplt () ool-18bc17fc dyn optonline net JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :gagsiok!~gagsiok () AValence-101-2-1-139 abo wanadoo fr QUIT :Read error: 104 (Connection reset by peer)^M

Looks like a bot net to me.


Paul
-- 
Paul Dokas                                            dokas () cs umn edu
======================================================================
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Kuang2 strikes again, is it just me? Jeff Kell (Feb 15)
- RE: Kuang2 strikes again, is it just me? Rob Shein (Feb 16)
  - Re: Kuang2 strikes again, is it just me? Paul Dokas (Feb 17)
- Re: Kuang2 strikes again, is it just me? Johannes Ullrich (Feb 16)
- Re: Kuang2 strikes again, is it just me? Jasmine (Feb 16)
- Re: Kuang2 strikes again, is it just me? Jeff (Feb 16)
  - RE: Kuang2 strikes again, is it just me? Trevor Metzger (Feb 16)
    - RE: Kuang2 strikes again, is it just me? Tim Heagarty (Feb 17)
  - mIRC Trojan Variant - port 445 worm/Trojan kyle (Feb 17)
- <Possible follow-ups>
- Re: Kuang2 strikes again, is it just me? Kevin Patz (Feb 18)