Incidents: tcp:80, tcp:111, udp:137


First, the usual Code Red/Nimda drizzle...

I mean, is this getting old, or what?

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=

syslog/logcheck:

Mar  4 09:41:51 greatwall snort: [1:0:0] Potential CodeRed/Nimda probe {TCP}
 12.82.140.120:2744 -> 12.82.129.125:80
Mar  4 09:41:54 greatwall snort: [1:0:0] Potential CodeRed/Nimda probe {TCP}
+12.82.140.120:2744 -> 12.82.129.125:80


ipchains:

Mar  4 09:41:51 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.140.120:2744 12.82.129.125:80
 L=44 S=0x00 I=36011 F=0x4000 T=126 SYN (#64)
Mar  4 09:41:54 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.140.120:2744 12.82.129.125:80
 L=44 S=0x00 I=17581 F=0x4000 T=126 SYN (#64)


p0f:

Mon Mar  4 09:41:51 2002 12.82.140.120: UNKNOWN [8192:126:1460:1:164:0:0:44].
 12.82.140.120:2744 -> 12.82.129.125:80
Mon Mar  4 09:41:54 2002 12.82.140.120: UNKNOWN [8192:126:1460:1:168:0:0:44].
 12.82.140.120:2744 -> 12.82.129.125:80


full snort packet dump:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
03/04-09:41:51.960774 12.82.140.120:2744 -> 12.82.129.125:80
TCP TTL:126 TOS:0x0 ID:36011 IpLen:20 DgmLen:44 DF
******S* Seq: 0x3D9499  Ack: 0x0  Win: 0x2000  TcpLen: 24
TCP Options (1) => MSS: 1460 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
03/04-09:41:54.480985 12.82.140.120:2744 -> 12.82.129.125:80
TCP TTL:126 TOS:0x0 ID:17581 IpLen:20 DgmLen:44 DF
******S* Seq: 0x3D9499  Ack: 0x0  Win: 0x2000  TcpLen: 24
TCP Options (1) => MSS: 1460 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


host:

[root@sparky /storage/snort]# host 12.82.140.120
120.140.82.12.in-addr.arpa. domain name pointer 120.seattle-05-10rs.wa.dial-access.att.net.



BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

Request: 12.82.140.120
connecting to whois.arin.net [63.146.182.182:43] ...
AT&T ITS (NET-ATT)
   200 Laurel Avenue South
   Middletown, NJ 07748
   US    

Netname: ATT
   Netblock: 12.0.0.0 - 12.255.255.255
   Maintainer: ATTW    

Coordinator:
      Kostick, Deirdre  (DK71-ARIN)  help@IP.ATT.NET
      (888)613-6330    

Domain System inverse mapping provided by: 
   DBRU.BR.NS.ELS-GMS.ATT.NET199.191.128.106
   DMTU.MT.NS.ELS-GMS.ATT.NET12.127.16.70
   CBRU.BR.NS.ELS-GMS.ATT.NET199.191.128.105
   CMTU.MT.NS.ELS-GMS.ATT.NET12.127.16.69


Now, tcp:111 portmapper


syslog/logcheck:

Mar  4 09:47:31 greatwall snort: [1:0:0] TCP to 111 sunrpc {TCP}
 65.104.251.67:1525 -> 12.82.129.125:111


snort:

Mar  4 09:47:31 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 65.104.251.67:1525 12.82.129.125:111
 L=60 S=0x00 I=32007 F=0x4000 T=52 SYN (#64)


p0f:

Mon Mar  4 09:47:31 2002 65.104.251.67 [13 hops]: Linux 2.2.9 - 2.2.18
 65.104.251.67:1525 -> 12.82.129.125:111 (timestamp: 52483290 @1015264051)


full snort packet dump:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/04-09:47:31.844810 65.104.251.67:1525 -> 12.82.129.125:111
TCP TTL:52 TOS:0x0 ID:32007 IpLen:20 DgmLen:60 DF
******S* Seq: 0x28BB1936  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 52483290 0 NOP WS: 0 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

XO Communications (NET-XOXO-BLK-15)
   1400 Parkmoor Avenue
   San Jose, CA 95126-3429
   US    

Netname: XOXO-BLK-15
   Netblock: 65.104.0.0 - 65.107.255.255
   Maintainer: XOXO    

Coordinator:
   DNS and IP ADMIN  (DIA-ORG-ARIN)  hostmaster@CONCENTRIC.NET
   (408) 817-2800
   Fax- - - (408) 817-2630    

Domain System inverse mapping provided by: 
   NAMESERVER1.CONCENTRIC.NET207.155.183.73
   NAMESERVER2.CONCENTRIC.NET207.155.184.72
   NAMESERVER3.CONCENTRIC.NET206.173.119.72
   NAMESERVER.CONCENTRIC.NET207.155.183.72



http to 65.104.251.67:

"It Worked!

If you can see this, it means that the installation of the
Apache software on this Red Hat Linux system was successful.
You may now add content to this directory and replace this page."
 
Yeah: it worked, you installed Linux and Apache and left it wide open, and now your box has been cracked and is being used to attack other people..

Idiot.


And a udp:137 for good measure...

This is an intersting one

On the face of it, it looks like I get probed on udp:137 (which I did..) but then what's the DNS stuff a minute-and-a-half later all about?


syslog/logcheck:

Mar  4 09:53:41 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP}
 216.46.199.45:1348 ->+12.82.129.125:137


ipchains:

Mar  4 09:53:41 greatwall kernel: Packet log: input DENY ppp0 PROTO=17
 216.46.199.45:1348 12.82.129.125:137
 L=78 S=0x00 I=34408 F=0x0000 T=53 (#27)


no P0f: udp :-)



more host_216.46.199.45-0304@0630.log

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/04-09:53:41.111823 216.46.199.45:1348 -> 12.82.129.125:137
UDP TTL:53 TOS:0x0 ID:34408 IpLen:20 DgmLen:78
Len: 58
00 99 00 10 00 01 00 00 00 00 00 00 20 43 4B 41  ............ CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21  AAAAAAAAAAAAA..!
00 01                                            .. 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
03/04-09:55:07.000946 12.82.129.125:1025 -> 216.46.199.45:53
UDP TTL:64 TOS:0x0 ID:43235 IpLen:20 DgmLen:81
Len: 61
0B 76 00 00 00 01 00 00 00 00 00 00 02 34 35 03  .v...........45.
31 39 39 02 34 36 03 32 31 36 07 69 6E 2D 61 64  199.46.216.in-ad
64 72 09 67 6E 65 74 77 6F 72 6B 73 03 63 6F 6D  dr.gnetworks.com
00 00 0C 00 01                                   ..... 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
03/04-09:55:07.230496 216.46.199.45:53 -> 12.82.129.125:1025
UDP TTL:53 TOS:0x0 ID:38460 IpLen:20 DgmLen:125
Len: 105
0B 76 84 83 00 01 00 00 00 01 00 00 02 34 35 03  .v...........45.
31 39 39 02 34 36 03 32 31 36 07 69 6E 2D 61 64  199.46.216.in-ad
64 72 09 67 6E 65 74 77 6F 72 6B 73 03 63 6F 6D  dr.gnetworks.com
00 00 0C 00 01 C0 22 00 06 00 01 00 01 51 80 00  ......"......Q..
20 C0 22 07 68 6F 73 74 69 6E 67 C0 22 77 45 EE   .".hosting."wE.
BF 00 00 70 80 00 00 1C 20 00 09 3A 80 00 01 51  ...p.... ..:...Q
80                                               . 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
03/04-12:59:57.566062 12.82.129.125:1025 -> 216.46.199.45:53
UDP TTL:64 TOS:0x0 ID:48176 IpLen:20 DgmLen:81
Len: 61
CE 1C 00 00 00 01 00 00 00 00 00 00 02 34 35 03  .............45.
31 39 39 02 34 36 03 32 31 36 07 69 6E 2D 61 64  199.46.216.in-ad
64 72 09 67 6E 65 74 77 6F 72 6B 73 03 63 6F 6D  dr.gnetworks.com
00 00 0C 00 01                                   ..... 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
03/04-12:59:57.794388 216.46.199.45:53 -> 12.82.129.125:1025
UDP TTL:53 TOS:0x0 ID:64888 IpLen:20 DgmLen:125
Len: 105
CE 1C 84 83 00 01 00 00 00 01 00 00 02 34 35 03  .............45.
31 39 39 02 34 36 03 32 31 36 07 69 6E 2D 61 64  199.46.216.in-ad
64 72 09 67 6E 65 74 77 6F 72 6B 73 03 63 6F 6D  dr.gnetworks.com
00 00 0C 00 01 C0 22 00 06 00 01 00 01 51 80 00  ......"......Q..
20 C0 22 07 68 6F 73 74 69 6E 67 C0 22 77 45 EE   .".hosting."wE.
BF 00 00 70 80 00 00 1C 20 00 09 3A 80 00 01 51  ...p.... ..:...Q
80                                               . 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



[toot@sparky /storage/snort]# dig @greatwall any gnetworks.com

; <<>> DiG 9.1.0 <<>> @greatwall any gnetworks.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29898
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;gnetworks.com.			IN	ANY

;; ANSWER SECTION:
gnetworks.com.		129645	IN	NS	NS1.gnetworks.com.
gnetworks.com.		129645	IN	NS	NS2.gnetworks.com.
gnetworks.com.		50073	IN	SOA	gnetworks.com. 

hosting.gnetworks.com. 2001071807 28800 7200 604800 86400

;; AUTHORITY SECTION:
gnetworks.com.		129645	IN	NS	NS1.gnetworks.com.
gnetworks.com.		129645	IN	NS	NS2.gnetworks.com.

;; ADDITIONAL SECTION:
NS1.gnetworks.com.	136469	IN	A	216.46.199.45
NS2.gnetworks.com.	136469	IN	A	216.46.199.46

;; Query time: 34 msec
;; SERVER: 192.168.1.2#53(greatwall)
;; WHEN: Mon Mar  4 20:00:35 2002
;; MSG SIZE  rcvd: 171



BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

Pathway Computing, Inc (NETBLK-PATHWAY-BLK)
   825 BOND AVE NW STE 211D
   GRAND RAPIDS, MI 49503
   US    

Netname: PATHWAY-BLK
   Netblock: 216.46.192.0 - 216.46.207.255
   Maintainer: PWCI    

Coordinator:
      PathWay Computing, Inc.  (PC-ORG-ARIN)  hostmaster@pathwaynet.com
      +1 616 774-3131    

Domain System inverse mapping provided by: 
   NS1.PATHWAYNET.COM216.46.200.172
   NS2.PATHWAYNET.COM216.46.200.173



jsage@finchhaven.com
Last modified: Mon Mar 4 22:57:38 2002