[nsp-sec] 598 Compromised hosts
Stephen Gill
gillsr at cymru.com
Tue Jul 1 22:57:25 EDT 2008
> They are talking to 69.64.76.38 on tcp port 2008.
> That ip is listed here:
> http://www.emergingthreats.net/rules/emerging-botcc-BLOCK.rules
> alert ip $HOME_NET any -> [<SNIP long list of ips] any (msg:"ET DROP
> Known Bot C&C Traffic (group 15) - BLOCKING SOURCE";
> reference:url,www.shadowserver.org; threshold: type limit, track by_src,
> seconds 3600, count 1; classtype:trojan-activity; sid:2405014; rev:1211;
> fwsam: dst, 30 days;)
For 2008, we have the following samples headed that direction:
sha1 | md5
| dst_ip | dst_port | protocol
------------------------------------------+---------------------------------
-+-------------+----------+----------
bdf725a8a5163f16299309cb03dfadf3384c8d86 | 2ff5cabc553762761d01269faabaa9c4
| 69.64.76.38 | 5478 | 6
d3f7a7e0322e57ebb7149639396ce0fcbaa574cf | 504420e9a7b79a290e1280acc1213242
| 69.64.76.38 | 5478 | 6
8092bb4593bb54d0c2d7246f9352133a6471458a | 674d4efe8777da249ed22d2128c491e3
| 69.64.76.38 | 5478 | 6
d5aa92e57ee7e669a981a0a1e1c2e013da35e64b | 2b48e057ac56166a595d8a352da428c4
| 69.64.76.38 | 5478 | 6
476672b30488b9a8cafbdbaf6edadc0cd57673c1 | b2c243866a491920eb815a37a8634fbd
| 69.64.76.38 | 5478 | 6
Uses this RR:
dlx0.servegame.org
> They are also talking to 189.17.122.195 on tcp 5555
> That ip also shows up in the emergingthreats rules with a pointer to
> shadowserver.org.
> I searched shadowserver.org for the ips and didn't get a match.
For 2008 we have the following samples headed that direction:
sha1 | md5
| dst_ip | dst_port | protocol
------------------------------------------+---------------------------------
-+----------------+----------+----------
962e38900bfa43091a0fa308351aafb48f6386b6 | ec5ad9e314757f226571881429f84452
| 189.17.122.195 | 6969 | 6
bd57df54bf38e18677fc9c2d47bebfeaebc73020 | d017f3a688afca703afa15adfbd092cd
| 189.17.122.195 | 1868 | 6
0e7f527c047775e620ce1a7d80b3a1b2fbab7a6c | c236a3020f5f5c46664f4ae9e37a6639
| 189.17.122.195 | 5555 | 6
52e9de0176c23cddefff9800672a2d2514c2de21 | 4ccb9cb62d5f0f8db2f4d738713c2982
| 189.17.122.195 | 6969 | 6
Uses these RRs:
irc.asikral.info m.bihsecurity.com xak.womeniser.info
More info available upon request!
Cheers,
-- steve
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net
>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
>> Smith, Donald
>> Sent: Tuesday, July 01, 2008 3:31 PM
>> To: Nicholas Ianelli
>> Cc: nsp-security NSP
>> Subject: Re: [nsp-sec] 598 Compromised hosts
>>
>> ----------- nsp-security Confidential --------
>>
>>
>>
>> Security through obscurity WORKS against some worms and ssh attacks:)
>> Donald.Smith at qwest.com giac
>>
>>> -----Original Message-----
>>> From: Nicholas Ianelli [mailto:ni at cert.org]
>>> Sent: Tuesday, July 01, 2008 3:06 PM
>>> To: Smith, Donald
>>> Cc: nsp-security NSP
>>> Subject: Re: [nsp-sec] 598 Compromised hosts
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>>
>>>
>>> | :i use stacheldraht.
>>> | :mostly out of Solaris boxes
>>> | :shcrew kit and t0rnkit coded by me.
>>> |
>>>
>>> |> shv5 and others in the family included synscan.
>>> |> Tornkit2 shared elements from ramen which used synscan.
>>> |> I was told that some versions of torn used synscan but I
>>> never saw one:(
>>> |
>>> |> Does he use psych0id, mixer, or pint as an aliases?
>>>
>>> I've only seen the following:
>>>
>>> KH4ALED
>>> Danny-Boy
>>> brzi
>>> SDK
>>>
>>> I highly doubt he's the author of any of those. I'd chalk it up to
>>> talking trash. Though he may have made "custom" mods (take
>>> that for what
>>> ever it's worth).
>>>
>>> What I'd like to know is the OS' of the compromised hosts,
>> if they are
>>> Solaris boxes, he may have some power. I've sent emails to
>> a few South
>>> American contacts (thanks Guilherme), I'm hoping for some
>> data points.
>>>
>>> Any ideas on the three below?
>>
>> Three dynamic dsl ip addresses in phoenix, KC and Portland.
>> Our dsl dynamic ip address space is not a good place to run services.
>> The ips change to fequently.
>>
>> None of them appear to be running well known services (ssh, telnet nor
>> http) on standard ports.
>> I will go look at netflow but I would bet nearly anything
>> these are not
>> solaris systems.
>> I am running a report now to see what is in netflow for those systems
>> but this is being to look like a false positive.
>>
>>
>>>
>>> | |
>>> | | The ASN - IP mapping can be found here:
>>> | |
>>> | | https://asn.cymru.com/nsp-sec/upload/1214882891.whois.txt
>>>
>>> | |
>>> | | 209 | 63.229.83.8 | ASN-QWEST - Qwest
>>> | | 209 | 70.56.99.180 | ASN-QWEST - Qwest
>>> | | 209 | 71.34.70.112 | ASN-QWEST - Qwest
>>>
>>> Nick
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.6 (MingW32)
>>>
>>> iD8DBQFIapw4i10dJIBjZIARCNGeAKCCRUd4Sj20oxAIdHyKT/9J68fdvACgn8An
>>> jV0xXH1Fey5LM/uUb2QZaeI=
>>> =y0nG
>>> -----END PGP SIGNATURE-----
>>>
>>
>>
>> This communication is the property of Qwest and may contain
>> confidential or
>> privileged information. Unauthorized use of this
>> communication is strictly
>> prohibited and may be unlawful. If you have received this
>> communication
>> in error, please immediately notify the sender by reply
>> e-mail and destroy
>> all copies of the communication and any attachments.
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the
>> nsp-security
>> community. Confidentiality is essential for effective
>> Internet security counter-measures.
>> _______________________________________________
>>
>>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
More information about the nsp-security
mailing list