World-wide distributed DoS and "warez" bot networks (fwd)

• Previous message (by thread): eBay and the DoS thread
• Next message (by thread): IP renumbering timeframe
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 From a forward to me on the DDos stuff...this might shed some light on the 
DDos problem, if not sorry for the bandwidth.

--------begin forward


>[Note: I just noticed last night, after giving a talk on this incident, that
>several threads on the SANS Unisog list going back as far as February 18,
>2002 have discussed this same botnet in generality and in some detail, so I
>can't claim to be the first to analyze this botnet.  That credit goes to
>Christopher E.  Cramer of Duke University.  (That's what I get for letting
>myself get so far behind on email, and for not studying all sources of
>information I had available to me when we first started seeing problems.
>Hopefully someone on the unisog list will cross-post to
>incidents at securityfocus.com when a widespread incident like this pops up
>next time. ;)
>
>The Unisog threads can be found here:
>
>         http://staff.washington.edu/dittrich/misc/ddos/unisog-xdcc.txt
>
>Since all this work was already done, I'll still post what I have assembled
>with the assistance of Mike Hornung and Alexander Howard at the UW, in hopes
>I'm adding something new in the way of tools and techniques (see my
>CanSecWest talk slides referenced at bottom) that will help speed up
>response the next time one of these massive botnets is assembled using
>compromised computers.]
>
>
>Summary
>=======
>
>Over the months of March through late April of 2002, the University of
>Washington has seen multiple incidents of distributed "warez" (pirated
>software) and denial of service (DDoS) attacks, coming from Windows 2000 and
>NT systems.  These systems all have several things in
>common:
>
>         o They appeared to be found with no password on the
>           Administrator account, and control taken over.
>
>         o They had various IRC bots installed on them, including
>           knight.exe, GTbot, and X-DCC (a distributed "warez"
>           serving bot.)
>
>         o They had the ServUFTP daemon running on them for incoming
>           file transfer (to load the "warez".)
>
>         o They had Firedaemon (a program that registers programs for
>           execution to serve incoming connections, similar to the Unix
>           "inetd" daemon.)
>
>Details
>=======
>
>Forensic analysis of hard drive contents and IRC traffic has revealed the
>methods and signatures of the malware installed on the compromised systems.
>To date we are not 100% sure of exactly how the initial backdoor
>installation occurs, but it appears to involve remote shell access (via
>telnetd).  Whatever it is, the next step is to transfer a script onto the
>system and run it to bootstrap the rest of the installation of backdoors,
>bots, FTP server, and other support programs, the modification of
>directory/file permissions and attributes to hide files, and changes to
>registry settings to make programs run at each boot.  On some system, FTP is
>also used to later transfer files onto the compromised system.
>
>The script does the following:
>
>o Creates a directory under the C:\RECYCLER directory, and marks
>   it hidden and system directory.
>
>o Kills any previously running instances of itself.
>
>o Installs Firedeamon, and changes it (and other support programs)
>   to be system/hidden.
>
>o Uses tftp to download IRC bot configuration files from a temporary
>   cache (on another compromised system)
>
>o Does a "net user administrator changem" and deletes the
>   ipc$ file share.
>
>o Starts the Firedaemon and registers services named "Ms32dll",
>   "SVHOST" and "MSVC5"
>
>o Creates a file to set the following Registry settings, then
>   runs "regedit" on this file:
>
>         [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\]
>                 restrictanonymous"="1"
>         [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\]
>                 "NTLM"="2"
>
>o Cleans up some files, and stops and deletes the following
>   services: "tlntsvr" and "PSEXESVC"
>
>o (Re)Starts the following services: "lmhosts" and "NtLmSsp"
>
>
>  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>user_nick [XDCC]XXXX-649
>slotsmax 20
>loginname XXXXX
>filedir C:\RECYCLER\S-1-5-21-2686636377-1107193052-384560437-1000
>uploaddir C:\RECYCLER\S-1-5-21-2686636377-1107193052-384560437-1000
>xdccfile c:\winnt\system32\vmn32\asp\mybot.xdcc
>pidfile c:\winnt\system32\vmn32\asp\mybot.pid
>server irc.XXXXXX.net 6667
>server irc.XXXXXX.net 7000
>server XXXX.XXXXX.net 6667
>server XXXX.XXXXX.net 7000
>server XXX.XXX.XX.XXX 6667
>logrotate weekly
>messagefile c:\winnt\system32\vmn32\asp\mybot.msg
>ignorefile c:\winnt\system32\vmn32\asp\mybot.ignl
>channel #XDCC -plist 15
>user_realname XDCC
>user_modes +i
>virthost no
>vhost_ip virtip.domain.com
>firewall no
>dccrangestart 4000
>queuesize 20
>slotsmaxpack 0
>slotsmaxslots 5
>slotsmaxqueue 10
>maxtransfersperperson 1
>maxqueueditemsperperson 1
>restrictlist yes
>restrictsend yes
>overallminspeed 5.0
>transfermaxspeed 0
>overallmaxspeed 2000
>overallmaxspeeddayspeed 0
>overallmaxspeeddaytime 9 17
>overallmaxspeeddaydays MTWRF
>debug no
>autosend no
>autoword bleh
>automsg bleh
>autopack 1
>xdccautosavetime 15
>creditline ^2Brought to you by #XDCC^2
>adminpass Xv8h8aXknm8J5z
>adminhost *!*@*.XXXXXX.net
>adminhost *!*@*.cia.gov
>uploadallowed no
>uploadmaxsize 900
>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
>
>A search of Google for the terms "+X-DCC +XDCC +bot" comes up with several
>hits, including the following list of the top IRC networks. The X-DCC/XDCC
>related channels (including channels found on many of the compromised
>systems at the UW) were the majority of the top channels on this site:
>
>         http://62.27.120.133/networks/chanlist.shtml
>
>The signature of these particular bots can be identified by the string
>":Total Offered:" (the amount of disc space used for "warez" on the system,
>to be served by the bot):
>
>  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>T 2002/04/18 08:30:18.768002 10.1.1.1:6667 -> 192.168.2.2:3852 [AP]
>   :[f0]-XDCC230!~accute at foo-0000000.bar.asu.edu PRIVMSG #XXXXXXXXXX
>   :.**. .Brought to you by #XXXXXXXXXXXXX. .**...:[f0]-XDCC230!~accute@
>   foo-0000000.bar.asu.edu PRIVMSG #XXXXXXXXX :.**. .Brought to you by #X
>   XXXXXXXXXXXX. .**...
>
>T 2002/04/18 08:30:20.452092 217.199.39.139:7000 -> 128.208.113.130:1031
>[AP]
>   :[f0]-XDCC230!~accute at foo-0000000.bar.asu.edu PRIVMSG #XXXXXXXXXX
>   :Total Offered: 1223.5 MB  Total Transferred: 419.19 MB..:[f0]-XDCC230
>   !~accute at foo-0000000.bar.asu.edu PRIVMSG #XXXXXXXXX :Total Offered: 1
>   223.5 MB  Total Transferred: 419.19 MB..:[f0]-XDCC230!~accute at foo-000
>   0000.bar.asu.edu PRIVMSG #XXXXXXXXX :Total Offered: 1223.5 MB  Tota
>   l Transferred: 419.19 MB..
>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
>
>Using this information, a capture of all IRC traffic across the border of
>the network was performed and a script written ("findoffer") to parse and
>summarize the totals.  Sampling IRC traffic to/from a set of 9 compromised
>systems (tcpdump filter "tcp port 6667 and tcp port 7000"), and using
>"findoffer", as many as 419 bots in 22 IRC channels, serving a total of
>556.18 GB (yes, over half a Terabyte!!! and that is just from bots in some
>of the X-DCC channels, not all of them.)
>
>[Note that IRC can be run over any port besides just 6667/tcp and 7000/tcp,
>so I expect that these bots will likely move off of public servers to rogue
>servers on compromised systems, and to use ports other than the standard
>6666/tcp - 7000/tcp.]
>
>In addition to file sharing, many (all?) of these systems were at least
>capable, if not actually used for, distributed denial of service (DDoS)
>attacks.  Dozens of attacks have been attributed to the same group who
>installed these warez bots.  Here is one such use:
>
>  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>T 2002/03/27 02:28:31.434846 192.168.0.220:6667 -> 10.0.0.1:3164 [AP]
>   :ns.example.net 404 KNIGHT77tdtR #doschan :Cannot send t
>   o channel..:badd_kittycatN0yb!~moonglow at dc00.foonet.gatech.edu PRIVM
>   SG #doschan :[login accepted]..
>
>T 2002/03/27 02:28:31.986647 192.168.0.220:6667 -> 10.0.0.1:3164 [AP]
>   :ns.example.net 404 KNIGHT77tdtR #doschan :Cannot send t
>   o channel..:badd_kittycatN0yb!~moonglow at d000.foonet.gatech.edu PRIVM
>   SG #doschan :[packeting 192.168.32.94 at 64000kb/s 10000000 times]..
>   :vodkidWT!~zoolander at grd0000.foo.uiuc.edu PRIVMSG #doschan :[packet
>   ing 192.168.32.94 at 64000kb/s 10000000 times]..
>
>   . . .
>
>T 2002/03/27 05:25:31.491814 192.168.0.220:6667 -> 10.0.0.1:3164 [AP]
>   :foobar!foo at staff.botnet.net PRIVMSG #doschan :.run c:\w
>   innt\system32\temp.exe..:XXXXXXXXXXZ2vco!~XXXXXX at A000000.N0.Vanderbilt
>   .Edu PRIVMSG #doschan :[running c:\winnt\system32\temp.exe]..
>
>T 2002/03/27 05:25:31.493483 10.0.0.1:3164 -> 192.168.0.220:6667 [AP]
>   PRIVMSG #doschan :[running c:\winnt\system32\temp.exe]..
>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
>
>Two DDoS bots have been seen in use in conjunction with this activity:
>"knight.exe" and "GTbot". ("knight.exe" is the Unix "knight.c" program,
>compiled with the Cygwin development libraries.)  These programs are
>described here:
>
>         http://www.cert.org/archive/pdf/DoS_trends.pdf
>         http://bots.lockdowncorp.com/gtbot.html
>
>The UDP traffic (seen by "tcpdump") during a GTbot attack shows some unusual
>packets:
>
>  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>1017207252.687968 192.168.32.126.1646 > 10.203.32.94.37046:  rad-#43 837 [id
>32 ] Attr[  Acct_out_octets{length 30 != 4} ARAP_zone_acces{length 46 != 4}
>NAS_id{  +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH} Acct_out_packets{length
>41 != 4} ARAP _challenge_resp{302B202B202B4154}|radius}
>ARAP_challenge_resp{302B202B202B4154}|
>radius} ARAP_challenge_resp{302B202B202B4154}|radius}
>ARAP_challenge_resp{302B20 2B202B4154}|radius}
>ARAP_challenge_resp{302B202B202B4154}|radius} ARAP_challenge
>_resp{302B202B202B4154}|radius}
>ARAP_challenge_resp{302B202B202B4154}|radius} AR
>AP_challenge_resp{302B202B202B4154}|radius}
>ARAP_challenge_resp{302B202B202B4154
>}|radius} [|radius]
>. . .
>1017207256.282173 192.168.32.126.1645 > 10.203.32.94.24413:  rad-#64 440 [id
>64 ] Attr[  Tunnel_type{length 62 != 4} Tunnel_type{length 62 != 4}
>Tunnel_type{len gth 62 != 4} Tunnel_type{length 62 != 4} Tunnel_type{length
>62 != 4} Tunnel_type {length 62 != 4} [|radius]
>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
>
>Seen by "ngrep", there is a strange kind of UDP flood:
>
>  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>U 2002/03/26 21:34:16.284428 192.168.32.126:2892 -> 10.203.32.94:19192
>   + + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +AT
>   H0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +
>   ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ +
>    +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+
>    + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH
>   0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +A
>   TH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ +
>   +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+
>   + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0
>   + + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +AT
>   H0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +
>   ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0
>
>U 2002/03/26 21:34:16.284790 192.168.32.126:3099 -> 10.203.32.94:61749
>   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>   @@@@@@@@@@@@@@@@@@@@
>
>U 2002/03/26 21:34:16.285599 192.168.32.126:2767 -> 10.203.32.94:44393
>   !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
>   ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
>   !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
>   ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
>   !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
>   ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
>   !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
>   ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
>   !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
>   ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
>   !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
>   ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
>   !@#%!^@)
>
>U 2002/03/26 21:34:16.286329 192.168.32.126:4403 -> 10.203.32.94:56289
>   !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
>   ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
>   !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
>   ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
>   !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
>   ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
>   !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
>   ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
>   !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
>   ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
>   !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
>   ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
>   !@#%!^@)
>
>U 2002/03/26 21:34:16.287070 192.168.32.126:4008 -> 10.203.32.94:39934
>   + + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +AT
>   H0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +
>   ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ +
>    +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+
>    + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH
>   0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +A
>   TH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ +
>   +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+
>   + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0
>   + + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +AT
>   H0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +
>   ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0
>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
>
>Apparent IRC traffic confirms there is a DDoS bot on this system:
>
>  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>T 2002/03/26 21:36:43.468911 192.168.32.126:1135 -> 10.76.175.220:7666 [AP]
>   PRIVMSG #doschan :.S.ending [.64,000.kb] of Data to (10.203.32.94).
>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
>
>Seen by "tcpdump", one of the attack methods of this tool uses IP protocol
>255 (listed as "Reserved" by IANA).  These attacks use both large packets
>(requiring fragmentation) and small packets.  [Note: Network monitoring
>tools that only log TCP, UDP, and ICMP protocols will not see this attack
>traffic at all.]
>
>  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>Fri Mar 22 20:54:59 2002
>1016859299.879744 192.168.0.1 > 10.209.12.152:  ip-proto-255 1480 (frag
>37686:1480 at 0+) 1016859299.879745 192.168.0.1 > 10.209.12.152: (frag
>37686:20 at 1480) 1016859299.881140 192.168.0.1 > 10.209.12.152:  ip-proto-255
>1480 (frag 37687:1480 at 0+) 1016859299.881141 192.168.0.1 > 10.209.12.152:
>(frag 37687:20 at 1480) 1016859299.882465 192.168.0.1 > 10.209.12.152:
>ip-proto-255 1480 (frag 37688:1480 at 0+) 1016859299.882465 192.168.0.1 >
>10.209.12.152: (frag 37688:20 at 1480) 1016859299.883866 192.168.0.1 >
>10.209.12.152:  ip-proto-255 1480 (frag 37689:1480 at 0+)
>
>
>Sat Mar 23 13:13:25 2002
>1016918005.627814 192.168.0.1 > 10.99.102.100:  ip-proto-255 52
>1016918005.627905 192.168.0.1 > 10.99.102.100:  ip-proto-255 52
>1016918005.627986 192.168.0.1 > 10.99.102.100:  ip-proto-255 52
>1016918005.628120 192.168.0.1 > 10.99.102.100:  ip-proto-255 52
>1016918005.628180 192.168.0.1 > 10.99.102.100:  ip-proto-255 52
>1016918005.628282 192.168.0.1 > 10.99.102.100:  ip-proto-255 52
>1016918005.628342 192.168.0.1 > 10.99.102.100:  ip-proto-255 52
>1016918005.628448 192.168.0.1 > 10.99.102.100:  ip-proto-255 52
>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
>
>Seen with Foundstone's "FPort" program, the program showed the following
>open port:
>
>  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>FPort v1.33 - TCP/IP Process to Port Mapper
>Copyright 2000 by Foundstone, Inc.
>http://www.foundstone.com
>
>Pid   Process            Port  Proto Path
>2     System         ->  80    TCP
>187   inetinfo       ->  80    TCP   C:\WINNT\System32\inetsrv\inetinfo.exe
>2     System         ->  113   TCP
>191   temp           ->  113   TCP   C:\WINNT\System32\temp.exe
>94    RpcSs          ->  135   TCP   C:\WINNT\system32\RpcSs.exe
>2     System         ->  135   TCP
>2     System         ->  139   TCP
>2     System         ->  443   TCP
>187   inetinfo       ->  443   TCP   C:\WINNT\System32\inetsrv\inetinfo.exe
>191   temp           ->  1035  TCP   C:\WINNT\System32\temp.exe
>187   inetinfo       ->  1036  TCP   C:\WINNT\System32\inetsrv\inetinfo.exe
>187   inetinfo       ->  1037  TCP   C:\WINNT\System32\inetsrv\inetinfo.exe
>187   inetinfo       ->  2962  TCP   C:\WINNT\System32\inetsrv\inetinfo.exe
>191   temp           ->  9000  TCP   C:\WINNT\System32\temp.exe
>2     System         ->  135   UDP
>2     System         ->  137   UDP
>2     System         ->  138   UDP
>  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
>More information on this botnet, and references to the tools used to analyze
>it, were presented at CanSecWest Core02 in Vancouver, BC on May 2.  The
>slides and references to the tools that were used can be found at the
>following location:
>
>         http://staff.washington.edu/dittrich/talks/core02/
>
>An example report produced by "findoffer" can be found at:
>
>         http://staff.washington.edu/dittrich/misc/ddos/xdcc-report.txt
>
>This report has been anonymized, since some of the host are voluntarily
>serving files (these networks are NOT exclusively compromised hosts running
>bots.) Use this script ONLY to identify hosts on your network, and make sure
>you follow all applicable privacy laws and policies of your organization
>regarding logging of IRC traffic.
>
>--
>Dave Dittrich                           Computing & Communications
>dittrich at cac.washington.edu             University Computing Services
>http://staff.washington.edu/dittrich    University of Washington

• Previous message (by thread): eBay and the DoS thread
• Next message (by thread): IP renumbering timeframe
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]