World-wide distributed DoS and "warez" bot networks (fwd)
blitz
blitz at macronet.net
Sat May 4 10:24:41 UTC 2002
From a forward to me on the DDos stuff...this might shed some light on the
DDos problem, if not sorry for the bandwidth.
--------begin forward
>[Note: I just noticed last night, after giving a talk on this incident, that
>several threads on the SANS Unisog list going back as far as February 18,
>2002 have discussed this same botnet in generality and in some detail, so I
>can't claim to be the first to analyze this botnet. That credit goes to
>Christopher E. Cramer of Duke University. (That's what I get for letting
>myself get so far behind on email, and for not studying all sources of
>information I had available to me when we first started seeing problems.
>Hopefully someone on the unisog list will cross-post to
>incidents at securityfocus.com when a widespread incident like this pops up
>next time. ;)
>
>The Unisog threads can be found here:
>
> http://staff.washington.edu/dittrich/misc/ddos/unisog-xdcc.txt
>
>Since all this work was already done, I'll still post what I have assembled
>with the assistance of Mike Hornung and Alexander Howard at the UW, in hopes
>I'm adding something new in the way of tools and techniques (see my
>CanSecWest talk slides referenced at bottom) that will help speed up
>response the next time one of these massive botnets is assembled using
>compromised computers.]
>
>
>Summary
>=======
>
>Over the months of March through late April of 2002, the University of
>Washington has seen multiple incidents of distributed "warez" (pirated
>software) and denial of service (DDoS) attacks, coming from Windows 2000 and
>NT systems. These systems all have several things in
>common:
>
> o They appeared to be found with no password on the
> Administrator account, and control taken over.
>
> o They had various IRC bots installed on them, including
> knight.exe, GTbot, and X-DCC (a distributed "warez"
> serving bot.)
>
> o They had the ServUFTP daemon running on them for incoming
> file transfer (to load the "warez".)
>
> o They had Firedaemon (a program that registers programs for
> execution to serve incoming connections, similar to the Unix
> "inetd" daemon.)
>
>Details
>=======
>
>Forensic analysis of hard drive contents and IRC traffic has revealed the
>methods and signatures of the malware installed on the compromised systems.
>To date we are not 100% sure of exactly how the initial backdoor
>installation occurs, but it appears to involve remote shell access (via
>telnetd). Whatever it is, the next step is to transfer a script onto the
>system and run it to bootstrap the rest of the installation of backdoors,
>bots, FTP server, and other support programs, the modification of
>directory/file permissions and attributes to hide files, and changes to
>registry settings to make programs run at each boot. On some system, FTP is
>also used to later transfer files onto the compromised system.
>
>The script does the following:
>
>o Creates a directory under the C:\RECYCLER directory, and marks
> it hidden and system directory.
>
>o Kills any previously running instances of itself.
>
>o Installs Firedeamon, and changes it (and other support programs)
> to be system/hidden.
>
>o Uses tftp to download IRC bot configuration files from a temporary
> cache (on another compromised system)
>
>o Does a "net user administrator changem" and deletes the
> ipc$ file share.
>
>o Starts the Firedaemon and registers services named "Ms32dll",
> "SVHOST" and "MSVC5"
>
>o Creates a file to set the following Registry settings, then
> runs "regedit" on this file:
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\]
> restrictanonymous"="1"
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\]
> "NTLM"="2"
>
>o Cleans up some files, and stops and deletes the following
> services: "tlntsvr" and "PSEXESVC"
>
>o (Re)Starts the following services: "lmhosts" and "NtLmSsp"
>
>
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>user_nick [XDCC]XXXX-649
>slotsmax 20
>loginname XXXXX
>filedir C:\RECYCLER\S-1-5-21-2686636377-1107193052-384560437-1000
>uploaddir C:\RECYCLER\S-1-5-21-2686636377-1107193052-384560437-1000
>xdccfile c:\winnt\system32\vmn32\asp\mybot.xdcc
>pidfile c:\winnt\system32\vmn32\asp\mybot.pid
>server irc.XXXXXX.net 6667
>server irc.XXXXXX.net 7000
>server XXXX.XXXXX.net 6667
>server XXXX.XXXXX.net 7000
>server XXX.XXX.XX.XXX 6667
>logrotate weekly
>messagefile c:\winnt\system32\vmn32\asp\mybot.msg
>ignorefile c:\winnt\system32\vmn32\asp\mybot.ignl
>channel #XDCC -plist 15
>user_realname XDCC
>user_modes +i
>virthost no
>vhost_ip virtip.domain.com
>firewall no
>dccrangestart 4000
>queuesize 20
>slotsmaxpack 0
>slotsmaxslots 5
>slotsmaxqueue 10
>maxtransfersperperson 1
>maxqueueditemsperperson 1
>restrictlist yes
>restrictsend yes
>overallminspeed 5.0
>transfermaxspeed 0
>overallmaxspeed 2000
>overallmaxspeeddayspeed 0
>overallmaxspeeddaytime 9 17
>overallmaxspeeddaydays MTWRF
>debug no
>autosend no
>autoword bleh
>automsg bleh
>autopack 1
>xdccautosavetime 15
>creditline ^2Brought to you by #XDCC^2
>adminpass Xv8h8aXknm8J5z
>adminhost *!*@*.XXXXXX.net
>adminhost *!*@*.cia.gov
>uploadallowed no
>uploadmaxsize 900
>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
>
>A search of Google for the terms "+X-DCC +XDCC +bot" comes up with several
>hits, including the following list of the top IRC networks. The X-DCC/XDCC
>related channels (including channels found on many of the compromised
>systems at the UW) were the majority of the top channels on this site:
>
> http://62.27.120.133/networks/chanlist.shtml
>
>The signature of these particular bots can be identified by the string
>":Total Offered:" (the amount of disc space used for "warez" on the system,
>to be served by the bot):
>
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>T 2002/04/18 08:30:18.768002 10.1.1.1:6667 -> 192.168.2.2:3852 [AP]
> :[f0]-XDCC230!~accute at foo-0000000.bar.asu.edu PRIVMSG #XXXXXXXXXX
> :.**. .Brought to you by #XXXXXXXXXXXXX. .**...:[f0]-XDCC230!~accute@
> foo-0000000.bar.asu.edu PRIVMSG #XXXXXXXXX :.**. .Brought to you by #X
> XXXXXXXXXXXX. .**...
>
>T 2002/04/18 08:30:20.452092 217.199.39.139:7000 -> 128.208.113.130:1031
>[AP]
> :[f0]-XDCC230!~accute at foo-0000000.bar.asu.edu PRIVMSG #XXXXXXXXXX
> :Total Offered: 1223.5 MB Total Transferred: 419.19 MB..:[f0]-XDCC230
> !~accute at foo-0000000.bar.asu.edu PRIVMSG #XXXXXXXXX :Total Offered: 1
> 223.5 MB Total Transferred: 419.19 MB..:[f0]-XDCC230!~accute at foo-000
> 0000.bar.asu.edu PRIVMSG #XXXXXXXXX :Total Offered: 1223.5 MB Tota
> l Transferred: 419.19 MB..
>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
>
>Using this information, a capture of all IRC traffic across the border of
>the network was performed and a script written ("findoffer") to parse and
>summarize the totals. Sampling IRC traffic to/from a set of 9 compromised
>systems (tcpdump filter "tcp port 6667 and tcp port 7000"), and using
>"findoffer", as many as 419 bots in 22 IRC channels, serving a total of
>556.18 GB (yes, over half a Terabyte!!! and that is just from bots in some
>of the X-DCC channels, not all of them.)
>
>[Note that IRC can be run over any port besides just 6667/tcp and 7000/tcp,
>so I expect that these bots will likely move off of public servers to rogue
>servers on compromised systems, and to use ports other than the standard
>6666/tcp - 7000/tcp.]
>
>In addition to file sharing, many (all?) of these systems were at least
>capable, if not actually used for, distributed denial of service (DDoS)
>attacks. Dozens of attacks have been attributed to the same group who
>installed these warez bots. Here is one such use:
>
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>T 2002/03/27 02:28:31.434846 192.168.0.220:6667 -> 10.0.0.1:3164 [AP]
> :ns.example.net 404 KNIGHT77tdtR #doschan :Cannot send t
> o channel..:badd_kittycatN0yb!~moonglow at dc00.foonet.gatech.edu PRIVM
> SG #doschan :[login accepted]..
>
>T 2002/03/27 02:28:31.986647 192.168.0.220:6667 -> 10.0.0.1:3164 [AP]
> :ns.example.net 404 KNIGHT77tdtR #doschan :Cannot send t
> o channel..:badd_kittycatN0yb!~moonglow at d000.foonet.gatech.edu PRIVM
> SG #doschan :[packeting 192.168.32.94 at 64000kb/s 10000000 times]..
> :vodkidWT!~zoolander at grd0000.foo.uiuc.edu PRIVMSG #doschan :[packet
> ing 192.168.32.94 at 64000kb/s 10000000 times]..
>
> . . .
>
>T 2002/03/27 05:25:31.491814 192.168.0.220:6667 -> 10.0.0.1:3164 [AP]
> :foobar!foo at staff.botnet.net PRIVMSG #doschan :.run c:\w
> innt\system32\temp.exe..:XXXXXXXXXXZ2vco!~XXXXXX at A000000.N0.Vanderbilt
> .Edu PRIVMSG #doschan :[running c:\winnt\system32\temp.exe]..
>
>T 2002/03/27 05:25:31.493483 10.0.0.1:3164 -> 192.168.0.220:6667 [AP]
> PRIVMSG #doschan :[running c:\winnt\system32\temp.exe]..
>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
>
>Two DDoS bots have been seen in use in conjunction with this activity:
>"knight.exe" and "GTbot". ("knight.exe" is the Unix "knight.c" program,
>compiled with the Cygwin development libraries.) These programs are
>described here:
>
> http://www.cert.org/archive/pdf/DoS_trends.pdf
> http://bots.lockdowncorp.com/gtbot.html
>
>The UDP traffic (seen by "tcpdump") during a GTbot attack shows some unusual
>packets:
>
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>1017207252.687968 192.168.32.126.1646 > 10.203.32.94.37046: rad-#43 837 [id
>32 ] Attr[ Acct_out_octets{length 30 != 4} ARAP_zone_acces{length 46 != 4}
>NAS_id{ +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH} Acct_out_packets{length
>41 != 4} ARAP _challenge_resp{302B202B202B4154}|radius}
>ARAP_challenge_resp{302B202B202B4154}|
>radius} ARAP_challenge_resp{302B202B202B4154}|radius}
>ARAP_challenge_resp{302B20 2B202B4154}|radius}
>ARAP_challenge_resp{302B202B202B4154}|radius} ARAP_challenge
>_resp{302B202B202B4154}|radius}
>ARAP_challenge_resp{302B202B202B4154}|radius} AR
>AP_challenge_resp{302B202B202B4154}|radius}
>ARAP_challenge_resp{302B202B202B4154
>}|radius} [|radius]
>. . .
>1017207256.282173 192.168.32.126.1645 > 10.203.32.94.24413: rad-#64 440 [id
>64 ] Attr[ Tunnel_type{length 62 != 4} Tunnel_type{length 62 != 4}
>Tunnel_type{len gth 62 != 4} Tunnel_type{length 62 != 4} Tunnel_type{length
>62 != 4} Tunnel_type {length 62 != 4} [|radius]
>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
>
>Seen by "ngrep", there is a strange kind of UDP flood:
>
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>U 2002/03/26 21:34:16.284428 192.168.32.126:2892 -> 10.203.32.94:19192
> + + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +AT
> H0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +
> ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ +
> +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+
> + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH
> 0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +A
> TH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ +
> +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+
> + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0
> + + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +AT
> H0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +
> ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0
>
>U 2002/03/26 21:34:16.284790 192.168.32.126:3099 -> 10.203.32.94:61749
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @@@@@@@@@@@@@@@@@@@@
>
>U 2002/03/26 21:34:16.285599 192.168.32.126:2767 -> 10.203.32.94:44393
> !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
> ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
> !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
> ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
> !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
> ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
> !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
> ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
> !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
> ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
> !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
> ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
> !@#%!^@)
>
>U 2002/03/26 21:34:16.286329 192.168.32.126:4403 -> 10.203.32.94:56289
> !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
> ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
> !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
> ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
> !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
> ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
> !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
> ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
> !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
> ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
> !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!
> ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%
> !@#%!^@)
>
>U 2002/03/26 21:34:16.287070 192.168.32.126:4008 -> 10.203.32.94:39934
> + + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +AT
> H0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +
> ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ +
> +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+
> + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH
> 0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +A
> TH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ +
> +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+
> + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0
> + + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +AT
> H0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +
> ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0
>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
>
>Apparent IRC traffic confirms there is a DDoS bot on this system:
>
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>T 2002/03/26 21:36:43.468911 192.168.32.126:1135 -> 10.76.175.220:7666 [AP]
> PRIVMSG #doschan :.S.ending [.64,000.kb] of Data to (10.203.32.94).
>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
>
>Seen by "tcpdump", one of the attack methods of this tool uses IP protocol
>255 (listed as "Reserved" by IANA). These attacks use both large packets
>(requiring fragmentation) and small packets. [Note: Network monitoring
>tools that only log TCP, UDP, and ICMP protocols will not see this attack
>traffic at all.]
>
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>Fri Mar 22 20:54:59 2002
>1016859299.879744 192.168.0.1 > 10.209.12.152: ip-proto-255 1480 (frag
>37686:1480 at 0+) 1016859299.879745 192.168.0.1 > 10.209.12.152: (frag
>37686:20 at 1480) 1016859299.881140 192.168.0.1 > 10.209.12.152: ip-proto-255
>1480 (frag 37687:1480 at 0+) 1016859299.881141 192.168.0.1 > 10.209.12.152:
>(frag 37687:20 at 1480) 1016859299.882465 192.168.0.1 > 10.209.12.152:
>ip-proto-255 1480 (frag 37688:1480 at 0+) 1016859299.882465 192.168.0.1 >
>10.209.12.152: (frag 37688:20 at 1480) 1016859299.883866 192.168.0.1 >
>10.209.12.152: ip-proto-255 1480 (frag 37689:1480 at 0+)
>
>
>Sat Mar 23 13:13:25 2002
>1016918005.627814 192.168.0.1 > 10.99.102.100: ip-proto-255 52
>1016918005.627905 192.168.0.1 > 10.99.102.100: ip-proto-255 52
>1016918005.627986 192.168.0.1 > 10.99.102.100: ip-proto-255 52
>1016918005.628120 192.168.0.1 > 10.99.102.100: ip-proto-255 52
>1016918005.628180 192.168.0.1 > 10.99.102.100: ip-proto-255 52
>1016918005.628282 192.168.0.1 > 10.99.102.100: ip-proto-255 52
>1016918005.628342 192.168.0.1 > 10.99.102.100: ip-proto-255 52
>1016918005.628448 192.168.0.1 > 10.99.102.100: ip-proto-255 52
>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
>
>Seen with Foundstone's "FPort" program, the program showed the following
>open port:
>
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>FPort v1.33 - TCP/IP Process to Port Mapper
>Copyright 2000 by Foundstone, Inc.
>http://www.foundstone.com
>
>Pid Process Port Proto Path
>2 System -> 80 TCP
>187 inetinfo -> 80 TCP C:\WINNT\System32\inetsrv\inetinfo.exe
>2 System -> 113 TCP
>191 temp -> 113 TCP C:\WINNT\System32\temp.exe
>94 RpcSs -> 135 TCP C:\WINNT\system32\RpcSs.exe
>2 System -> 135 TCP
>2 System -> 139 TCP
>2 System -> 443 TCP
>187 inetinfo -> 443 TCP C:\WINNT\System32\inetsrv\inetinfo.exe
>191 temp -> 1035 TCP C:\WINNT\System32\temp.exe
>187 inetinfo -> 1036 TCP C:\WINNT\System32\inetsrv\inetinfo.exe
>187 inetinfo -> 1037 TCP C:\WINNT\System32\inetsrv\inetinfo.exe
>187 inetinfo -> 2962 TCP C:\WINNT\System32\inetsrv\inetinfo.exe
>191 temp -> 9000 TCP C:\WINNT\System32\temp.exe
>2 System -> 135 UDP
>2 System -> 137 UDP
>2 System -> 138 UDP
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
>More information on this botnet, and references to the tools used to analyze
>it, were presented at CanSecWest Core02 in Vancouver, BC on May 2. The
>slides and references to the tools that were used can be found at the
>following location:
>
> http://staff.washington.edu/dittrich/talks/core02/
>
>An example report produced by "findoffer" can be found at:
>
> http://staff.washington.edu/dittrich/misc/ddos/xdcc-report.txt
>
>This report has been anonymized, since some of the host are voluntarily
>serving files (these networks are NOT exclusively compromised hosts running
>bots.) Use this script ONLY to identify hosts on your network, and make sure
>you follow all applicable privacy laws and policies of your organization
>regarding logging of IRC traffic.
>
>--
>Dave Dittrich Computing & Communications
>dittrich at cac.washington.edu University Computing Services
>http://staff.washington.edu/dittrich University of Washington
More information about the NANOG
mailing list