Incident: 03-01-02 21:30pm
tcp:27374
What have we on tcp:27374?
http://www.neohapsis.com/neolabs/neo-ports/neo-ports.svcs:
BadBlood 27374/tcp #[trojan] Bad Blood
EGO 27374/tcp #[trojan] EGO
FakeSubSeven 27374/tcp #[trojan] Fake SubSeven
Lion 27374/tcp #[trojan] Lion
Ramen 27374/tcp #[trojan] Ramen
Seeker 27374/tcp #[trojan] Seeker
Subseven2.1.4DefCon8 27374/tcp #[trojan] Subseven 2.1.4 DefCon 8
SubSeven2.1Gold 27374/tcp #[trojan] SubSeven 2.1 Gold
SubSeven2.2 27374/tcp #[trojan] SubSeven 2.2
SubSevenMuie 27374/tcp #[trojan] SubSeven Muie
SubSeven 27374/tcp #[trojan] SubSeven
SubSeven 27374/tcp #[trojan] SubSeven
TheSaint 27374/tcp #[trojan] The Saint
Ttfloader 27374/tcp #[trojan] Ttfloader
Webhead 27374/tcp #[trojan] Webhead
One possibility: a search for ramen-compromised hosts:
http://www.cert.org/incident_notes/IN-2001-01.html:
When a host is compromised, the ramen toolkit is automatically copied
to the compromised host, installed in "/usr/src/.poop", and started.
The ramen toolkit is controlled by a series of shell scripts that make
modifications to the compromised system and initiate attacks on other
systems. Several notable system modifications are made in sequence
after ramen is started.
<snip>
For systems with '/etc/inetd.conf'
an intruder supplied program is added as '/sbin/asp'. A
service named 'asp' is added to '/etc/inetd.conf' and inetd is
sent a signal to reload the configuration file. This causes inetd
to listen on TCP socket number 27374 for incoming connections.
<snip>
For systems without '/etc/inetd.conf'
an intruder-supplied program is added as '/usr/sbin/asp'. A
service named 'asp' is added to '/etc/xinetd.d' and xinetd is
sent a signal to reload it's configuration. This causes xinetd to
listen on TCP socket number 27374 for incoming connections.
<snip>
snort packet dump:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/01-21:30:33.668485 63.104.113.85:1784 -> 12.82.133.52:27374
TCP TTL:115 TOS:0x0 ID:34220 IpLen:20 DgmLen:48 DF
******S* Seq: 0x3F12A9DE Ack: 0x0 Win: 0x2238 TcpLen: 28
TCP Options (4) => MSS: 1360 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/01-21:30:36.618772 63.104.113.85:1784 -> 12.82.133.52:27374
TCP TTL:115 TOS:0x0 ID:34278 IpLen:20 DgmLen:48 DF
******S* Seq: 0x3F12A9DE Ack: 0x0 Win: 0x2238 TcpLen: 28
TCP Options (4) => MSS: 1360 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/01-21:30:42.639390 63.104.113.85:1784 -> 12.82.133.52:27374
TCP TTL:115 TOS:0x0 ID:34402 IpLen:20 DgmLen:48 DF
******S* Seq: 0x3F12A9DE Ack: 0x0 Win: 0x2238 TcpLen: 28
TCP Options (4) => MSS: 1360 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
ipchains:
Mar 1 21:30:33 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
63.104.113.85:1784 12.82.133.52:27374
L=48 S=0x00 I=34220 F=0x4000 T=115 SYN (#64)
Mar 1 21:30:36 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
63.104.113.85:1784 12.82.133.52:27374
L=48 S=0x00 I=34278 F=0x4000 T=115 SYN (#64)
Mar 1 21:30:42 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
63.104.113.85:1784 12.82.133.52:27374
L=48 S=0x00 I=34402 F=0x4000 T=115 SYN (#64)
p0f:
Fri Mar 1 21:30:33 2002 63.104.113.85: UNKNOWN [8760:115:1360:1:-1:1:1:48].
63.104.113.85:1784 -> 12.82.133.52:27374
Fri Mar 1 21:30:36 2002 63.104.113.85: UNKNOWN [8760:115:1360:1:-1:1:1:48].
63.104.113.85:1784 -> 12.82.133.52:27374
Fri Mar 1 21:30:42 2002 63.104.113.85: UNKNOWN [8760:115:1360:1:-1:1:1:48].
63.104.113.85:1784 -> 12.82.133.52:27374
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
UUNET Technologies, Inc. (NETBLK-UUNET63) UUNET63
63.64.0.0 - 63.127.255.255
RTL Systems Inc (NETBLK-UU-63-104-113) UU-63-104-113
63.104.113.0 - 63.104.113.255
RTL Systems Inc (NETBLK-UU-63-104-113)
1046 East Commercial
Lowell, IN 46356
US
Netname: UU-63-104-113
Netblock: 63.104.113.0 - 63.104.113.255
Maintainer: RTLS
Coordinator:
Felder, Tom (TF242-ARIN) felder@xvi.net
219-696-4984
Record last updated on 31-May-2000.
Database last updated on 1-Mar-2002 19:57:27 EDT.
host:
[toot@sparky /home/www/html/sys_docs/snort]# host 66.186.213.43
43.213.186.66.in-addr.arpa. domain name pointer NODE-43.HOSTING-NETWORK.COM.
http to 63.104.113.85:
"Could not connect to remote server
The second incident:
snort packet dump:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/01-22:02:12.414480 68.41.113.212:3968 -> 12.82.140.53:27374
TCP TTL:115 TOS:0x0 ID:5854 IpLen:20 DgmLen:48 DF
******S* Seq: 0x2FCA561 Ack: 0x0 Win: 0x2000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/01-22:02:15.434798 68.41.113.212:3968 -> 12.82.140.53:27374
TCP TTL:115 TOS:0x0 ID:21726 IpLen:20 DgmLen:48 DF
******S* Seq: 0x2FCA561 Ack: 0x0 Win: 0x2000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/01-22:02:21.535513 68.41.113.212:3968 -> 12.82.140.53:27374
TCP TTL:115 TOS:0x0 ID:60638 IpLen:20 DgmLen:48 DF
******S* Seq: 0x2FCA561 Ack: 0x0 Win: 0x2000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/01-22:02:33.766764 68.41.113.212:3968 -> 12.82.140.53:27374
TCP TTL:115 TOS:0x0 ID:2272 IpLen:20 DgmLen:48 DF
******S* Seq: 0x2FCA561 Ack: 0x0 Win: 0x2000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
ipchains:
Mar 1 22:02:12 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
68.41.113.212:3968 12.82.140.53:27374
L=48 S=0x00 I=5854 F=0x4000 T=115 SYN (#64)
Mar 1 22:02:15 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
68.41.113.212:3968 12.82.140.53:27374
L=48 S=0x00 I=21726 F=0x4000 T=115 SYN (#64)
Mar 1 22:02:21 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
68.41.113.212:3968 12.82.140.53:27374
L=48 S=0x00 I=60638 F=0x4000 T=115 SYN (#64)
Mar 1 22:02:33 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
68.41.113.212:3968 12.82.140.53:27374
L=48 S=0x00 I=2272 F=0x4000 T=115 SYN (#64)
p0f:
Fri Mar 1 22:02:12 2002 68.41.113.212: UNKNOWN [8192:115:1460:1:49:1:1:48].
68.41.113.212:3968 -> 12.82.140.53:27374
Fri Mar 1 22:02:15 2002 68.41.113.212: UNKNOWN [8192:115:1460:1:49:1:1:48].
68.41.113.212:3968 -> 12.82.140.53:27374
Fri Mar 1 22:02:21 2002 68.41.113.212: UNKNOWN [8192:115:1460:1:49:1:1:48].
68.41.113.212:3968 -> 12.82.140.53:27374
Fri Mar 1 22:02:33 2002 68.41.113.212: UNKNOWN [8192:115:1460:1:49:1:1:48].
68.41.113.212:3968 -> 12.82.140.53:27374
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
Request: 68.41.113.212
connecting to whois.arin.net [192.149.252.22:43] ...
Comcast Cable Communications, Inc. (NETBLK-JUMPSTART-1)JUMPSTART-1
68.32.0.0 - 68.63.255.255
Comcast Cable Communications, Inc. (NETBLK-JUMPSTART-MICHIGAN-A) JUMPSTART-MICHIGAN-A
68.40.0.0 - 68.43.255.255
Request: NETBLK-JUMPSTART-MICHIGAN-A@whois.arin.net
connecting to whois.arin.net [192.149.252.22:43] ...
Comcast Cable Communications, Inc. (NETBLK-JUMPSTART-MICHIGAN-A)
1275 Ball Road
Jonesville, MI
US
Netname: JUMPSTART-MICHIGAN-A
Netblock: 68.40.0.0 - 68.43.255.255
Coordinator:
Zeibari, Greg (GZ64-ARIN) gzeibari@comcastpc.com
856-661-7929
Domain System inverse mapping provided by:
NS01.JDC01.PA.COMCAST.NET66.45.25.71
NS02.JDC01.PA.COMCAST.NET66.45.25.72
host:
[toot@sparky /home/www/html/sys_docs/snort]# host 68.41.113.212
212.113.41.68.in-addr.arpa. domain name pointer bgp956615bgs.derbrh01.mi.comcast.net.
http to 68.41.113.212:
"Could not connect to remote server"
jsage@finchhaven.com
Last modified: Sat Mar 2 08:27:42 2002