Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: (AUSCERT#c42e2) Re: odd traffic on port 80 from win 98 system - Frethem.K

Re: (AUSCERT#c42e2) Re: odd traffic on port 80 from win 98 system - Frethem.K

From: Russell Fulton <r.fulton_at_auckland.ac.nz>
Date: 05 Aug 2002 15:21:55 +1200

This is a followup to my post on Friday about strange port 80 probes.

On Mon, 2002-08-05 at 14:20, auscert_at_auscert.org.au wrote:
>
> Greetings Russell,
>
> The lists seem to agree that Frethem is the culprit. Our AusCERT Update
> on Frethem doesn't discuss the activity you mentioned unfortunately. We
> decided to push something ASAP and link to AV vendors that do have more
> info.

yup, this has been confirmed by a full NAV sweep (its ID was
Frethem.K). Looks like the machine was infected before NAV had defs for
this variant -- the user found that the NAV setting for scheduling
automated scans had been disabled -- surprise!

NAI and Trendmicro seem to be the only AV vendors to describe the port
80 behaviour, the NAI reference *did* turn up in my initial google
search for 'b.cgi' but I missed it because it was buried in amongst a
whole lot of other pages which were all things where people were using
a.cgi and b.cgi etc as example names. Sigh...

What is interesting is that the machine stopped scanning on its own at
4:30 the next morning after what looks like a successful download (argus
logs showd about 4KB downloaded, this may have been an elaborate 404 or
may be something more). I have tried to contact the site several times
since but it isn't responding to port 80 now. I'm trying to figure out
what, if anything, it got (I've asked the owners to list all files
modified around the crucial time but they can not find anything).

Both NAI and Trend suggest that the web behaviour is linked to some
affilate scheme where by the author will receive money from referals to
a web site. I don't see how this can work:
1/ Most of the IP addresses I tried resolving were in blocks allocated
to cable or dsl ISPs.
2/ Most of the probes either timed out or received resets, about 1 in 50
got a response.
3/Lastly there is no refer information in the request.

My guess is that these machines are previously compromised systems and
that this could be a way of distributing updates or backdoors through
the network, or am I just being paranoid?

BTW I now have a snort rule to detect this activity -- I'll submit it to
the snort-sigs list when I have done some more testing on the tcpdump
file that I got when the machine was still probing. 

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand
"It ain't necessarily so"  - Gershwin
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Received on Aug 05 2002
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos