Incident: 03-01-02 21:30pm

tcp:27374

What have we on tcp:27374?

http://www.neohapsis.com/neolabs/neo-ports/neo-ports.svcs:

BadBlood             27374/tcp       #[trojan] Bad Blood
EGO                  27374/tcp       #[trojan] EGO
FakeSubSeven         27374/tcp       #[trojan] Fake SubSeven
Lion                 27374/tcp       #[trojan] Lion
Ramen                27374/tcp       #[trojan] Ramen
Seeker               27374/tcp       #[trojan] Seeker
Subseven2.1.4DefCon8 27374/tcp       #[trojan] Subseven 2.1.4 DefCon 8
SubSeven2.1Gold      27374/tcp       #[trojan] SubSeven 2.1 Gold
SubSeven2.2          27374/tcp       #[trojan] SubSeven 2.2
SubSevenMuie         27374/tcp       #[trojan] SubSeven Muie
SubSeven             27374/tcp       #[trojan] SubSeven
SubSeven             27374/tcp       #[trojan] SubSeven
TheSaint             27374/tcp       #[trojan] The Saint
Ttfloader            27374/tcp       #[trojan] Ttfloader
Webhead              27374/tcp       #[trojan] Webhead

One possibility: a search for ramen-compromised hosts:

http://www.cert.org/incident_notes/IN-2001-01.html:

When a host is compromised, the ramen toolkit is automatically copied
to the compromised host, installed in "/usr/src/.poop", and started.
The ramen toolkit is controlled by a series of shell scripts that make
modifications to the compromised system and initiate attacks on other
systems. Several notable system modifications are made in sequence
after ramen is started.

<snip>

For systems with '/etc/inetd.conf'
  
an intruder supplied program is added as '/sbin/asp'. A
    service named 'asp' is added to '/etc/inetd.conf' and inetd is
    sent a signal to reload the configuration file. This causes inetd
    to listen on TCP socket number 27374 for incoming connections.

<snip>
   
For systems without '/etc/inetd.conf'
  
an intruder-supplied program is added as '/usr/sbin/asp'. A
    service named 'asp' is added to '/etc/xinetd.d' and xinetd is
    sent a signal to reload it's configuration. This causes xinetd to
    listen on TCP socket number 27374 for incoming connections.

<snip>

snort packet dump:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/01-21:30:33.668485 63.104.113.85:1784 -> 12.82.133.52:27374
TCP TTL:115 TOS:0x0 ID:34220 IpLen:20 DgmLen:48 DF
******S* Seq: 0x3F12A9DE  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1360 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/01-21:30:36.618772 63.104.113.85:1784 -> 12.82.133.52:27374
TCP TTL:115 TOS:0x0 ID:34278 IpLen:20 DgmLen:48 DF
******S* Seq: 0x3F12A9DE  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1360 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/01-21:30:42.639390 63.104.113.85:1784 -> 12.82.133.52:27374
TCP TTL:115 TOS:0x0 ID:34402 IpLen:20 DgmLen:48 DF
******S* Seq: 0x3F12A9DE  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1360 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



ipchains:

Mar  1 21:30:33 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 63.104.113.85:1784 12.82.133.52:27374
 L=48 S=0x00 I=34220 F=0x4000 T=115 SYN (#64)

Mar  1 21:30:36 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 63.104.113.85:1784 12.82.133.52:27374
 L=48 S=0x00 I=34278 F=0x4000 T=115 SYN (#64)

Mar  1 21:30:42 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 63.104.113.85:1784 12.82.133.52:27374
 L=48 S=0x00 I=34402 F=0x4000 T=115 SYN (#64)



p0f:

Fri Mar  1 21:30:33 2002 63.104.113.85: UNKNOWN [8760:115:1360:1:-1:1:1:48].
  63.104.113.85:1784 -> 12.82.133.52:27374

Fri Mar  1 21:30:36 2002 63.104.113.85: UNKNOWN [8760:115:1360:1:-1:1:1:48].
  63.104.113.85:1784 -> 12.82.133.52:27374

Fri Mar  1 21:30:42 2002 63.104.113.85: UNKNOWN [8760:115:1360:1:-1:1:1:48].
  63.104.113.85:1784 -> 12.82.133.52:27374



BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

UUNET Technologies, Inc. (NETBLK-UUNET63) UUNET63  
 63.64.0.0 - 63.127.255.255

RTL Systems Inc (NETBLK-UU-63-104-113) UU-63-104-113
 63.104.113.0 - 63.104.113.255



RTL Systems Inc (NETBLK-UU-63-104-113)
   1046 East Commercial
   Lowell, IN 46356
   US    

Netname: UU-63-104-113
   Netblock: 63.104.113.0 - 63.104.113.255
   Maintainer: RTLS    

Coordinator:
      Felder, Tom  (TF242-ARIN)  felder@xvi.net
      219-696-4984 

   Record last updated on 31-May-2000.
   Database last updated on  1-Mar-2002 19:57:27 EDT.



host:

[toot@sparky /home/www/html/sys_docs/snort]# host 66.186.213.43
43.213.186.66.in-addr.arpa. domain name pointer NODE-43.HOSTING-NETWORK.COM.



http to 63.104.113.85:

"Could not connect to remote server


The second incident:


snort packet dump:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/01-22:02:12.414480 68.41.113.212:3968 -> 12.82.140.53:27374
TCP TTL:115 TOS:0x0 ID:5854 IpLen:20 DgmLen:48 DF
******S* Seq: 0x2FCA561  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/01-22:02:15.434798 68.41.113.212:3968 -> 12.82.140.53:27374
TCP TTL:115 TOS:0x0 ID:21726 IpLen:20 DgmLen:48 DF
******S* Seq: 0x2FCA561  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/01-22:02:21.535513 68.41.113.212:3968 -> 12.82.140.53:27374
TCP TTL:115 TOS:0x0 ID:60638 IpLen:20 DgmLen:48 DF
******S* Seq: 0x2FCA561  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/01-22:02:33.766764 68.41.113.212:3968 -> 12.82.140.53:27374
TCP TTL:115 TOS:0x0 ID:2272 IpLen:20 DgmLen:48 DF
******S* Seq: 0x2FCA561  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



ipchains:

Mar  1 22:02:12 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 68.41.113.212:3968 12.82.140.53:27374
 L=48 S=0x00 I=5854 F=0x4000 T=115 SYN (#64)

Mar  1 22:02:15 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 68.41.113.212:3968 12.82.140.53:27374
 L=48 S=0x00 I=21726 F=0x4000 T=115 SYN (#64)

Mar  1 22:02:21 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 68.41.113.212:3968 12.82.140.53:27374
 L=48 S=0x00 I=60638 F=0x4000 T=115 SYN (#64)

Mar  1 22:02:33 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 68.41.113.212:3968 12.82.140.53:27374
 L=48 S=0x00 I=2272 F=0x4000 T=115 SYN (#64)



p0f:

Fri Mar  1 22:02:12 2002 68.41.113.212: UNKNOWN [8192:115:1460:1:49:1:1:48].
   68.41.113.212:3968 -> 12.82.140.53:27374

Fri Mar  1 22:02:15 2002 68.41.113.212: UNKNOWN [8192:115:1460:1:49:1:1:48].
   68.41.113.212:3968 -> 12.82.140.53:27374

Fri Mar  1 22:02:21 2002 68.41.113.212: UNKNOWN [8192:115:1460:1:49:1:1:48].
   68.41.113.212:3968 -> 12.82.140.53:27374

Fri Mar  1 22:02:33 2002 68.41.113.212: UNKNOWN [8192:115:1460:1:49:1:1:48].
   68.41.113.212:3968 -> 12.82.140.53:27374



BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

Request: 68.41.113.212
connecting to whois.arin.net [192.149.252.22:43] ...

Comcast Cable Communications, Inc. (NETBLK-JUMPSTART-1)JUMPSTART-1
     68.32.0.0 - 68.63.255.255

Comcast Cable Communications, Inc. (NETBLK-JUMPSTART-MICHIGAN-A) JUMPSTART-MICHIGAN-A
     68.40.0.0 - 68.43.255.255


Request: NETBLK-JUMPSTART-MICHIGAN-A@whois.arin.net
connecting to whois.arin.net [192.149.252.22:43] ...

Comcast Cable Communications, Inc. (NETBLK-JUMPSTART-MICHIGAN-A)
   1275 Ball Road
   Jonesville, MI
   US    

Netname: JUMPSTART-MICHIGAN-A
   Netblock: 68.40.0.0 - 68.43.255.255    

Coordinator:
      Zeibari, Greg  (GZ64-ARIN)  gzeibari@comcastpc.com
      856-661-7929    

Domain System inverse mapping provided by: 
   NS01.JDC01.PA.COMCAST.NET66.45.25.71
   NS02.JDC01.PA.COMCAST.NET66.45.25.72



host:

[toot@sparky /home/www/html/sys_docs/snort]# host 68.41.113.212
212.113.41.68.in-addr.arpa. domain name pointer bgp956615bgs.derbrh01.mi.comcast.net.



http to 68.41.113.212:

"Could not connect to remote server"


jsage@finchhaven.com
Last modified: Sat Mar 2 08:27:42 2002