Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
SANS FLASH: New Trojan Sending Data To Russia
- From: Dan Zegarac
- Date: Mon Jul 31 10:45:33 2000
>Delivered-To: zegarac@home.merit.edu
>Delivered-To: zegarac@merit.edu
>Date: Fri, 28 Jul 2000 16:40:41 -0600 (MDT)
>From: The SANS Institute <sans@sans.org>
>Subject: SANS FLASH: New Trojan Sending Data To Russia
>To: Dan Zegarac <zegarac@merit.edu>
>
>SANS Flash Report: Trojans Sending More Data To Russia
>July 28, 2000, 6:20 pm, EDT
>
>This is preliminary information. The GIAC (Global Incident
>Analysis Center) has received several submissions showing large
>amounts of data being sent, illegitimately, from Windows 98
>machines to a Russian IP address (194.87.6.X). The cause is most
>probably a Trojan, but whatever it is, it is moving fast.
>
>What you should do?
>
>1. All sites should block network traffic from or to 194.87.6.X
>2. If you see outgoing traffic from one of your machines to that
>address, you should pull it from the network until anti-virus
>signatures are available.
>
>This activity has been going on for a few days, but the
>correlations are just coming in. If you have information to
>share, please send it to intrusion@sans.org.
>
>The remainder of this message is fairly technical and meant to
>help system administrators and firewall administrators protect
>their systems.
>
>Thank you!
>
>Stephen Northcutt, Director Global Incident Analysis Center
>The SANS Institute
>
>> From SANS GIAC Report 00/07/28
>>(dhoelzer)
>> This one came in at about 20:16 on July 26. The 194.87.6.201
>machine interestingly enough, resolves back to .ru. There is
>no other traffic to or from this network (194.87.6.X) for the
>last two months of live data that I have online. It's hard to
>make a guess on this one. Perhaps the machine that recorded
>this is on a proxy list somewhere, but then, this machine is a
>brand new honeypot on an IP address that hasn't been populated
>for at least 7 years, and has never been used as a proxy server.
>If this is just a random stab, it's interesting that there is
>no record of any network mapping from this network/host.
>Perhaps there was some coordinated mapping here, or perhaps
>there is someone out there who has mapped us already who was
>willing to share (or moved to a new network).
>>
>> bash# cat 8080
>> Initializing server socket...Binding to port 8080...Done.
>> Starting listener...Listening.
>> Connection from: 194.87.6.201
>> 0| 47 45 54 20 68 74 74 70 3a 2f 2f 77 77 77 2e 63
>> 16| 6f 6d 6d 69 73 73 69 6f 6e 2d 6a 75 6e 63 74 69
>> 32| 6f 6e 2e 63 6f 6d 2f 20 48 54 54 50 2f 31 2e 31
>> 48| 0d 0a 48 6f 73 74 3a 20 77 77 77 2e 63 6f 6d 6d
>> 64| 69 73 73 69 6f 6e 2d 6a 75 6e 63 74 69 6f 6e 2e
>> 80| 63 6f 6d 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a
>> 96| 0d 0a 50 72 61 67 6d 61 3a 20 6e 6f 2d 63 61 63
>> 112| 68 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20
>> +-------------------------------------------------
>> 0| G E T h t t p : / / w w w . c
>> 16| o m m i s s i o n - j u n c t i
>> 32| o n . c o m / H T T P / 1 . 1
>> 48| . . H o s t : w w w . c o m m
>> 64| i s s i o n - j u n c t i o n .
>> 80| c o m . . A c c e p t : * / *
>> 96| . . P r a g m a : n o - c a c
>> 112| h e . . U s e r - A g e n t :
>> 128| M o z i l l a / 4 . 0 ( c o m
>> 144| p a t i b l e ; M S I E 4 .
>> 160| 0 1 ; W i n d o w s 9 8 ) .
>> 176| . . .
>> +-------------------------------------------------
>> 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
>> Connection Terminated
>> bash# nslookup 194.87.6.201
>> Server: midgaard.smsc.com
>> Address: 170.129.53.52
>> Name: 201.6.87.194.dynamic.dol.ru
>> Address: 194.87.6.201
>
>+++
>Correlation to Laurie's post to GIAC Report 00/07/28,
>(http://www.sans.org/y2k/072800.htm):
>
>> (Laurie@.edu)
>>
>> =-=-=-=-=-=-=-=-=-=-=
>>
>> 194.87.6.201 == 201.6.87.194.dynamic.dol.ru
>>
>> RU-DEMOS-940901
>>
>> Included this because of the Russian source address.
>>
>> Jul 26 22:26:23 hostka snort[20224]: MISC-WinGate-8080-
>Attempt:
>> 194.87.6.201:3344 -> a.b.c.32:8080
>
>http and Wingate connection attempts from the same
>`dynamic.dol.ru'
>domain:
>
>Name: 27.6.87.194.dynamic.dol.ru
>Address: 194.87.6.27
>
>Jul 27 19:30:08 foo /kernel: Connection attempt to TCP a.b.c.8:80
>from 194.87.6.27:4156
>
>Name: 147.6.87.194.dynamic.dol.ru
>Address: 194.87.6.147
>
>[**] WinGate 8080 Attempt [**]
>07/24-23:04:39.418351 194.87.6.147:3185 -> a.b.c.8:8080
>TCP TTL:120 TOS:0x0 ID:12966 DF
>**S***** Seq: 0x540140 Ack: 0x0 Win: 0x2000
>TCP Options => MSS: 536 NOP NOP SackOK
>
>[**] WinGate 8080 Attempt [**]
>07/24-23:04:40.502718 194.87.6.147:3185 -> a.b.c.8:8080
>TCP TTL:120 TOS:0x0 ID:17318 DF
>**S***** Seq: 0x540140 Ack: 0x0 Win: 0x2000
>TCP Options => MSS: 536 NOP NOP SackOK
>
>[**] WinGate 8080 Attempt [**]
>07/24-23:04:41.521379 194.87.6.147:3185 -> a.b.c.8:8080
>TCP TTL:120 TOS:0x0 ID:27302 DF
>**S***** Seq: 0x540140 Ack: 0x0 Win: 0x2000
>TCP Options => MSS: 536 NOP NOP SackOK
>
>
>The system trace below was found by a conseal firewall:
>2000/07/27 9:15:19 PM GMT -0400: NDC 10/100 Fast E..[0001][No
>matching rule] Blocking outgoing TCP: src=24.114.my.ip,
>dst=194.87.6.27, sport=8080, dport=2418.
>2000/07/27 9:15:22 PM GMT -0400: NDC 10/100 Fast E..[0001][Ref#
>181] Blocking incoming connection attempt: src=194.87.6.27, local
>port 8080.
>
>
>
Dan Zegarac | Title: Internet Consultant
Merit Network, Inc. | E-mail: zegarac@merit.edu
4251 Plymouth Road, Suite 2000 | Phone: (734) 936-0304
Ann Arbor, MI 48105-2785 | Fax: (734) 647-3185
|
