Security Incidents mailing list archives

Proxy attackers/hijackers

From: Jeff Kell <jeff-kell () utc edu>
Date: Thu, 16 Oct 2003 23:31:12 -0400

We had an attempted proxy rape today on a trojanned dorm machine. Nomail escaped thanks to firewalling but I did track down the culprits andthe compromised ports (which appear random, they changed when themachine was rebooted). Do not have the machine (yet) for forensics tosee what infected it, but it was providing two proxy ports on randomports that change when the machine is rebooted (apparently, given thetime difference between the pairs of proxy ports below).

Inside IP is munged into private address, but the sources of theincoming proxy connections are real. The format is:


victim-IP:source-IP <connection count> <bytes>

The <bytes> count is low since the proxy fails after the SYN times out.

For the most part, these aren't individual attacks, it is a battery ofhosts in the same netblock. Here is the hit-list and the ports theyattacked on:


> [jeff@netsyslog jeff]$ grep 172\.16\.16\.16 utcpix.log|./proxysum 7512
> 172.16.16.16:66.111.39.210 104 items 0 bytes
> 172.16.16.16:*** total *** 104 items 0 bytes
>
> [jeff@netsyslog jeff]$ grep 172\.16\.16\.16 utcpix.log|./proxysum 9257
> 172.16.16.16:66.111.39.210 40 items 0 bytes
> 172.16.16.16:*** total *** 40 items 0 bytes
>
>
> [jeff@netsyslog jeff]$ grep 172\.16\.16\.16 utcpix.log|./proxysum 9813
> 172.16.16.16:203.98.189.84 3 items 45 bytes

> 172.16.16.16:207.218.0.155 1035 items 7470 bytes155.0.218.207.in-addr.arpa> 172.16.16.16:213.129.172.88 7 items 85 bytes213-129-172-88.DialUp.tiscali.es

> 172.16.16.16:24.163.39.18 7 items 96 bytes rdu163-39-018.nc.rr.com
> 172.16.16.16:38.117.18.131 8 items 0 bytes
> 172.16.16.16:66.111.39.210 114 items 1460 bytes
> 172.16.16.16:66.111.49.120 130 items 700 bytes
> 172.16.16.16:66.250.55.115 788 items 5916 bytes
> 172.16.16.16:66.250.55.116 40 items 518 bytes
> 172.16.16.16:66.250.55.117 32 items 192 bytes
> 172.16.16.16:66.250.55.118 219 items 1366 bytes
> 172.16.16.16:66.250.55.119 1761 items 7520 bytes
> 172.16.16.16:66.250.55.120 87 items 978 bytes
> 172.16.16.16:66.250.55.121 568 items 5754 bytes
> 172.16.16.16:66.250.55.122 70 items 142 bytes
> 172.16.16.16:66.28.209.100 327 items 1394 bytes
> 172.16.16.16:66.28.209.101 253 items 2424 bytes
> 172.16.16.16:66.28.209.102 245 items 960 bytes
> 172.16.16.16:66.28.209.105 390 items 1834 bytes
> 172.16.16.16:66.28.209.106 1558 items 1100 bytes
> 172.16.16.16:66.28.209.107 826 items 8650 bytes
> 172.16.16.16:66.28.209.109 11 items 114 bytes
> 172.16.16.16:66.28.209.11 54 items 584 bytes
> 172.16.16.16:66.28.209.110 900 items 6430 bytes
> 172.16.16.16:66.28.209.98 489 items 3464 bytes
> 172.16.16.16:66.28.209.99 442 items 4052 bytes
> 172.16.16.16:66.28.233.165 16 items 316 bytes
> 172.16.16.16:69.1.65.186 200 items 2064 bytes
> 172.16.16.16:69.1.65.187 303 items 1972 bytes
> 172.16.16.16:69.1.65.188 276 items 4266 bytes
> 172.16.16.16:69.1.65.189 538 items 3648 bytes
> 172.16.16.16:*** total *** 11697 items 75514 bytes
>
> [jeff@netsyslog jeff]$ grep 172\.16\.16\.16 utcpix.log|./proxysum 6394
> 172.16.16.16:195.24.138.125 4 items 0 bytes
> 172.16.16.16:209.61.131.147 2 items 0 bytes
> 172.16.16.16:216.64.225.99 415 items 4641 bytes
> 172.16.16.16:65.110.36.10 418 items 5052 bytes unknown.sagonet.net
> 172.16.16.16:65.110.36.40 428 items 5554 bytes unknown.sagonet.net
> 172.16.16.16:65.110.36.50 291 items 4549 bytes unknown.sagonet.net
> 172.16.16.16:65.110.41.180 421 items 5462 bytes unknown.sagonet.net
> 172.16.16.16:65.110.41.190 425 items 5270 bytes unknown.sagonet.net
> 172.16.16.16:65.110.41.200 414 items 5496 bytes unknown.sagonet.net
> 172.16.16.16:66.111.33.70 21 items 658 bytes www.celebsmoking.com
> 172.16.16.16:66.111.39.210 99 items 2909 bytes
> 172.16.16.16:66.111.49.120 78 items 2815 bytes



---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------

Current thread:

Proxy attackers/hijackers Jeff Kell (Oct 17)
- Re: Proxy attackers/hijackers Joe Stewart (Oct 17)
- <Possible follow-ups>
- RE: Proxy attackers/hijackers Carey, Steve T GARRISON (Oct 17)
- Proxy attackers/hijackers Thomas Willner (Oct 20)
  - Re: [Dshield] Proxy attackers/hijackers Thor Larholm (Oct 19)
- RE: Proxy attackers/hijackers James C. Slora, Jr. (Oct 20)