RE: Outgoing connections to ports 22226 and 22227
From: Byrne Ghavalas (security_at_nscs.uk.com)
Date: 08/29/03
- Previous message: Mike Shelby: "Port 554 - Quicktime scans, what's up"
- In reply to: Gereon Volker: "Outgoing connections to ports 22226 and 22227"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <incidents@securityfocus.com> Date: Fri, 29 Aug 2003 17:25:27 +0100
On Monday, August 25, 2003 7:41 PM, Gereon Volker
[mailto:gvolker@freenet.de] wrote:
> Over the past couple days I've noticed an increase in
> outgoing connections
> mostly to port 22226 and 22227 from my windows 2000 honeypot
> (no service
> packs or hot fixes applied). The source port of these
> connections is between
> 1033 and 1050. Today the destination ports were 509, 1466, 3019,
7140,
> 10919, 11030, 14859, 16710.
>
> All outbound connections are triggered via inbound conections
> to port 139
> or/and 445. The attacker uses the IPC$ share to connect.
>
> Some of the "attackers" drop the file winhlpp32.exe (known from
> W32.HLLW.Gaobot.P worm) in the system32 directory, others kill the
> RPC-service. The size of the file varies from 3 kb to 55 kb.
>
> Most of the IP-addresses are dial-up connections.
>
> All connections to port 135 are blocked by the firewall.
>
> Has anybody else seen similar things?
Similar attacks have been observed by the UK Honeynet project, with
the only real difference being that outbound connections were only
seen on TCP 22227. The captured file was kindly analysed by Sophos
and the following report was returned (the IDE file has not been sent
with this message):
----- Sophos Report -----
Subject : File captured on honeypot - winhlpp32.exe - from :
<removed> is infected with W32/Agobot-R (ide file attached)
(See attached file: agobot-r.ide)
W32/Agobot-R
W32/Agobot-R is a backdoor Trojan and network aware worm that allows
unauthorised remote access to a computer.
When an attacker connects to the backdoor via a specific IRC channel
they
will
be able to issue commands that causes the worm to scan the internet
for
computers to copy itself to. The scan will target network shares with
weak
passwords and computers vulnerable to both the DCOM RPC vulnerability
and
the
RPC locator vulnerability.
W32/Agobot-R is copied to the Windows system folder with the filenames
svchos1.exe and rpcfix.exe and adds any of the following entries
to the registry so that the Trojan is run when Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Config Loader and
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Config
Loader.
Both of these keys execute svchos1.exe.
----- End of Report -----
BTW - for some reason, F-Prot and NAV didn't detect a virus within the
file. I am not sure if this is because the virus in the file is
benign. My reason for stating that this may be the case is that the
windows filenames referenced weren't created, the registry keys were
never created and the IRC traffic was never generated, even after
several reboots. I will send a copy of the file to NAV and F-Prot for
confirmation.
If anyone requires a copy of the packet trace or the captured file,
drop me a message off list, I'd be happy to oblige.
HTH
Byrne Ghavalas
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------
- Previous message: Mike Shelby: "Port 554 - Quicktime scans, what's up"
- In reply to: Gereon Volker: "Outgoing connections to ports 22226 and 22227"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
