|
Security Incidents
mailing list archives
RE: Help - a possible bot
From: "Dan Perez" <danperez () san rr com>
Date: Sat, 16 Nov 2002 00:33:48 -0800
You may want to try the recently released PortExplorer from
http://www.diamondcs.com.au/portexplorer/
You will likely need to get the registered version to be of any help in your
predicament but you can get an idea of what it can do from the demo
version.
An alternative would be the SysInternals utilities of TCPmon, Filemon, and
Regmon but with PortExplorer you can set it to "spy" on any socket and data
being sent and received. It separates the header info from the payload,
however, so if you need more Header info than the parsed details it provides
you would need to resort to winpcap and windump or snort.
Regards,
Dan Perez
-----Original Message-----
From: Moshe Aelion [mailto:ma0934 () hotmail com]
Sent: Friday, November 15, 2002 12:11 PM
To: incidents @ security focus
Subject: Help - a possible bot
Hi everybody
Two weeks ago, the NAT/ICMP computer on our LAN got compromised; the hacked
installed DameWare and was trying to work on the computer. It was discovered
within about 10 minutes. I then installed ZoneAlarm Pro.
The problem is, I am detecting a suspicious hit/respond activity, which, in
my opinion, points to an active bot. Here's the evidence: when inspecting ZA
logs, you can see a blocked scan (coming every couple of minutes, from
arbitrary addresses - I bet they're spoofed - and soon after, the computer
responds with a (blocked) attempt to communicated with that address. This
points to an active bot (in my opinion), since, although ZA claims it
blocked the incoming attempt, the computer immediately tries to respond -
therefore SOMETHING inside did get a message.
I did a lot of port blocking, foundation fport tracking, netstat -an, and
couldn't find anything extraordinary. I installed PestPatrol and Trojan
Remover, they discovered nothing. (Except fport which I used). The
"HKEY_localmachine_software...Microsoft\...currentversion\run" registry key
doesn't show anything suspicious.
I do notice, though, that svchost is unusually active - doing about 25k
read/write I/O per second, with nothing running.
I did a lot of port blocking and couldn't stop the hit/response phenomenon.
I also stopped several processes and services and the phenomenon didn't
stop.
I'm attaching here the ZA log. The incoming attempt and the response are
denoted with "<--".
I'm also attaching the netstat -an and fport scan outputs.
Thanking any assistance in advance
Moshe
========================== ZA log =======================
1 FWIN, 21:55:54, 66.139.182.144:1065, my.net.237.99:137,UDP <--
2 FWOUT, 21:55:56, my.net.237.99:1025, 66.139.182.144:137,UDP <--
3 FWIN, 21:58:18, 213.9.242.122:1029, my.net.237.99:137,UDP <--
4 FWOUT, 21:58:18, my.net.237.99:1025, 213.9.242.122:137,UDP <--
5 FWIN, 21:59:54, 192.168.0.5: 138, 192.168.0.255:138,UDP
6 FWIN, 22:00:38, 212.179.237.86:1026, my.net.237.99:137,UDP
7 FWIN, 22:00:38, 212.179.209.67: 0, my.net.237.99:0,ICMP
(type:8/subtype:0)
8 ACCESS,22:01:52,RuLaunch blocked from connecting to Internet
(216.49.88.100:HTTP)
9 FWIN, 22:02:04, 64.231.129.73:1030, my.net.237.99:137,UDP
10 FWIN, 22:02:44, 61.228.26.161:1027, my.net.237.99:137,UDP
11 FWIN, 22:02:56, 62.94.131.238:3375, my.net.237.99:6588,TCP (flags:S)
12 FWIN, 22:07:34, 200.76.64.2:62695, my.net.237.99:137,UDP <--
13 FWOUT, 22:07:40, my.net.237.99:1025, 200.76.64.2:137,UDP <--
14 ACCESS,22:07:52,RuLaunch blocked from connecting to Internet
(216.49.88.100:HTTP)
15 FWIN, 22:09:02, 200.67.76.211:1026, my.net.237.99:137,UDP
16 FWIN, 22:10:40,140.186.157.226:6522, my.net.237.99:137,UDP <--
17 FWOUT, 22:10:40, my.net.237.99:1025, 140.186.157.226:137,UDP <--
18 FWIN, 22:10:58, 12.22.205.3:10647, my.net.237.99:137,UDP <--
19 FWOUT, 22:10:58, my.net.237.99:1025, 12.22.205.3:137,UDP <--
20 FWIN, 22:11:46, 68.67.228.47:1132, my.net.237.99:137,UDP
21 ACCESS,22:11:54,RuLaunch blocked from connecting to Internet
(216.49.88.100:HTTP)
22 FWIN, 22:12:14, 200.75.14.169:1025, my.net.237.99:137,UDP <--
23 FWOUT, 22:12:16, my.net.237.99:1025, 200.75.14.169:137,UDP <--
24 FWIN, 22:12:20, 80.235.53.242:30150, my.net.237.99:137,UDP
25 FWIN, 22:13:44, 200.56.237.243:1026, my.net.237.99:137,UDP
26 FWIN, 22:13:52, 64.110.231.28:1025, my.net.237.99:137,UDP
27 ACCESS,22:13:54,RuLaunch blocked from connecting to Internet
(216.49.88.100:HTTP)
28 FWIN, 22:15:40, 200.63.158.210:1025, my.net.237.99:137,UDP
29 FWIN, 22:17:10, 203.99.155.122:1027, my.net.237.99:137,UDP
30 FWIN, 22:19:16, 166.114.241.42:1037, my.net.237.99:137,UDP <--
31 FWOUT, 22:19:16, my.net.237.99:1025, 166.114.241.42:137,UDP <--
32 FWIN, 22:21:28, 161.132.196.30:1027, my.net.237.99:137,UDP
33 ACCESS,22:21:54,RuLaunch blocked from connecting to Internet
(216.49.88.100:HTTP)
34 FWIN, 22:22:04, 209.86.1.157:1029, my.net.237.99:137,UDP
========================= end of ZA log ==================================
Note: the 10.0.0.1:3028 to 10.0.0.138:1723 link is the ADSL pptp.
========================= "netstat -an"
output==============================
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1723 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3006 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3028 0.0.0.0:0 LISTENING
TCP 10.0.0.1:3028 10.0.0.138:1723 ESTABLISHED
TCP 10.0.0.1:7732 0.0.0.0:0 LISTENING
TCP 192.168.0.1:139 0.0.0.0:0 LISTENING
TCP 192.168.0.1:3002 0.0.0.0:0 LISTENING
TCP 192.168.0.1:3003 0.0.0.0:0 LISTENING
TCP 192.168.0.1:3004 0.0.0.0:0 LISTENING
TCP 192.168.0.1:14810 0.0.0.0:0 LISTENING
TCP my.net.217.125:13145 0.0.0.0:0 LISTENING
UDP 0.0.0.0:135 *:*
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1027 *:*
UDP 0.0.0.0:3001 *:*
UDP 0.0.0.0:3239 *:*
UDP 0.0.0.0:3240 *:*
UDP 10.0.0.1:500 *:*
UDP 10.0.0.1:6979 *:*
UDP 192.168.0.1:53 *:*
UDP 192.168.0.1:67 *:*
UDP 192.168.0.1:68 *:*
UDP 192.168.0.1:137 *:*
UDP 192.168.0.1:138 *:*
UDP 192.168.0.1:500 *:*
UDP 192.168.0.1:10900 *:*
UDP 192.168.0.1:17985 *:*
UDP 192.168.0.1:17987 *:*
UDP my.net.217.125:500 *:*
UDP my.net.217.125:9504 *:*
========================= end of "netstat -an" output
=========================
========================= "fport /p" output
==========================
FPort v1.33 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
Pid Process Port Proto Path
400 svchost -> 135 TCP C:\WINNT\system32\svchost.exe
8 System -> 139 TCP
8 System -> 445 TCP
516 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe
8 System -> 1026 TCP
8 System -> 1723 TCP
612 vsmon -> 3002 TCP C:\WINNT\system32\ZoneLabs\vsmon.exe
472 svchost -> 3006 TCP C:\WINNT\System32\svchost.exe
8 System -> 3657 TCP
8 System -> 4629 TCP
8 System -> 4775 TCP
400 svchost -> 135 UDP C:\WINNT\system32\svchost.exe
8 System -> 137 UDP
8 System -> 138 UDP
8 System -> 445 UDP
228 lsass -> 500 UDP C:\WINNT\system32\lsass.exe
216 services -> 1027 UDP C:\WINNT\system32\services.exe
472 svchost -> 3001 UDP C:\WINNT\System32\svchost.exe
1276 RuLaunch -> 3167 UDP C:\Program Files\McAfee\McAfee Shared
Components\Instant Updater\RuLaunch.exe
612 vsmon -> 17985 UDP C:\WINNT\system32\ZoneLabs\vsmon.exe
612 vsmon -> 17987 UDP C:\WINNT\system32\ZoneLabs\vsmon.exe
========================= end of "fport /p" output
==========================
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
|
Intro
