Possible Worm: UDP Source port 770
From: Byrne Ghavalas (byrne.ghavalas@corsaire.com)Date: 02/25/02
- Previous message: Matt Zimmerman: "Re: Checking for rootkits"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Byrne Ghavalas <byrne.ghavalas@corsaire.com> To: "'incidents@securityfocus.com'" <incidents@securityfocus.com> Date: Mon, 25 Feb 2002 12:11:41 -0000
Hi All,
I have gone through the archives and searched the 'Net, but am unable to
locate any further information with regards to these strange packets -
perhaps you fine people could be of assistance. :-)
1. I was called in to analyse a customer's network. They couldn't understand
why network connections kept failing and machines dropped out the network.
They eventually found that by removing the MS-Proxy server from the network,
the problems were 'resolved'.
2. They rebuilt the server using a different machine and clean media from
original CDs. A day and a half later, the problem re-appeared - again
corrected by unplugging the machine from the network.
3. I analysed the machine, but found nothing obvious. I decided to sniff the
TCP/IP traffic from the Proxy server and found:
3.1 Intermittently, 5 UDP packets were sent with Source port of 770 and
consecutive destination ports, with a directed-broadcast address as the
destination.
3.2 The starting destination port number would be different for each burst
of packets. For example, first burst would have destination ports as
follows: 63451, 63452, 63453, 63454, 63455; the next burst would be 37201,
37202, 37203, 37204, 37205.
3.3 The payload was always 28 bytes.
3.4 I noticed that the packets were always sent after a legitimate UDP
packet had been sent by the host, and the destination address of these UDP
packets was always that of the legitimate UDP packet. For example, if a
BROWSER announcement was sent out to the directed-broadcast address, then
the UDP:770 packets would be sent out (to the same broadcast address). [I
later found that this pattern also applied when the destination was a
specific IP address - the UDP:770 packets were also fired off at the
specific IP address.]
3.5 When the proxy is plugged on to the network, I noticed that it ARP'ed
for it's own IP address, after which a barrage of packets hit the network.
(I was sniffing a switched network, plugged in to a hub - so only saw local
traffic and the broadcast traffic.) After a few minutes, machines started to
drop off the network!
3.6 I had baselined the network prior to plugging the proxy in and found no
evidence of these strange UDP packets - they only started when the box was
plugged in to the network. Also, as soon as the box was unplugged, UDP
activity appeared to cease - almost immediately!
3.7 Some of the machines appeared to have a 'conversation' between
themselves and the broadcast address.
This is pretty much what I have so far. (I don't think that it makes any
difference - but you may like to know that the proxy server was acting as a
caching proxy and sits behind a firewall.)
I would appreciate any comments / suggestions, and useful insights.
If you require any further information, let me know and I will see what I
can do.
Kind regards,
Byrne Ghavalas
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Matt Zimmerman: "Re: Checking for rootkits"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
