Proxy attackers/hijackers
From: Jeff Kell (jeff-kell_at_utc.edu)
Date: 10/17/03
- Previous message: Jeffrey Denton: "Re: New Rootkit?"
- Next in thread: Joe Stewart: "Re: Proxy attackers/hijackers"
- Reply: Joe Stewart: "Re: Proxy attackers/hijackers"
- Maybe reply: Carey, Steve T GARRISON: "RE: Proxy attackers/hijackers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 16 Oct 2003 23:31:12 -0400 To: Incidents <incidents@securityfocus.com>, General DShield Discussion List <list@dshield.org>
We had an attempted proxy rape today on a trojanned dorm machine. No
mail escaped thanks to firewalling but I did track down the culprits and
the compromised ports (which appear random, they changed when the
machine was rebooted). Do not have the machine (yet) for forensics to
see what infected it, but it was providing two proxy ports on random
ports that change when the machine is rebooted (apparently, given the
time difference between the pairs of proxy ports below).
Inside IP is munged into private address, but the sources of the
incoming proxy connections are real. The format is:
victim-IP:source-IP <connection count> <bytes>
The <bytes> count is low since the proxy fails after the SYN times out.
For the most part, these aren't individual attacks, it is a battery of
hosts in the same netblock. Here is the hit-list and the ports they
attacked on:
> [jeff@netsyslog jeff]$ grep 172\.16\.16\.16 utcpix.log|./proxysum 7512
> 172.16.16.16:66.111.39.210 104 items 0 bytes
> 172.16.16.16:*** total *** 104 items 0 bytes
>
> [jeff@netsyslog jeff]$ grep 172\.16\.16\.16 utcpix.log|./proxysum 9257
> 172.16.16.16:66.111.39.210 40 items 0 bytes
> 172.16.16.16:*** total *** 40 items 0 bytes
>
>
> [jeff@netsyslog jeff]$ grep 172\.16\.16\.16 utcpix.log|./proxysum 9813
> 172.16.16.16:203.98.189.84 3 items 45 bytes
> 172.16.16.16:207.218.0.155 1035 items 7470 bytes
155.0.218.207.in-addr.arpa
> 172.16.16.16:213.129.172.88 7 items 85 bytes
213-129-172-88.DialUp.tiscali.es
> 172.16.16.16:24.163.39.18 7 items 96 bytes rdu163-39-018.nc.rr.com
> 172.16.16.16:38.117.18.131 8 items 0 bytes
> 172.16.16.16:66.111.39.210 114 items 1460 bytes
> 172.16.16.16:66.111.49.120 130 items 700 bytes
> 172.16.16.16:66.250.55.115 788 items 5916 bytes
> 172.16.16.16:66.250.55.116 40 items 518 bytes
> 172.16.16.16:66.250.55.117 32 items 192 bytes
> 172.16.16.16:66.250.55.118 219 items 1366 bytes
> 172.16.16.16:66.250.55.119 1761 items 7520 bytes
> 172.16.16.16:66.250.55.120 87 items 978 bytes
> 172.16.16.16:66.250.55.121 568 items 5754 bytes
> 172.16.16.16:66.250.55.122 70 items 142 bytes
> 172.16.16.16:66.28.209.100 327 items 1394 bytes
> 172.16.16.16:66.28.209.101 253 items 2424 bytes
> 172.16.16.16:66.28.209.102 245 items 960 bytes
> 172.16.16.16:66.28.209.105 390 items 1834 bytes
> 172.16.16.16:66.28.209.106 1558 items 1100 bytes
> 172.16.16.16:66.28.209.107 826 items 8650 bytes
> 172.16.16.16:66.28.209.109 11 items 114 bytes
> 172.16.16.16:66.28.209.11 54 items 584 bytes
> 172.16.16.16:66.28.209.110 900 items 6430 bytes
> 172.16.16.16:66.28.209.98 489 items 3464 bytes
> 172.16.16.16:66.28.209.99 442 items 4052 bytes
> 172.16.16.16:66.28.233.165 16 items 316 bytes
> 172.16.16.16:69.1.65.186 200 items 2064 bytes
> 172.16.16.16:69.1.65.187 303 items 1972 bytes
> 172.16.16.16:69.1.65.188 276 items 4266 bytes
> 172.16.16.16:69.1.65.189 538 items 3648 bytes
> 172.16.16.16:*** total *** 11697 items 75514 bytes
>
> [jeff@netsyslog jeff]$ grep 172\.16\.16\.16 utcpix.log|./proxysum 6394
> 172.16.16.16:195.24.138.125 4 items 0 bytes
> 172.16.16.16:209.61.131.147 2 items 0 bytes
> 172.16.16.16:216.64.225.99 415 items 4641 bytes
> 172.16.16.16:65.110.36.10 418 items 5052 bytes unknown.sagonet.net
> 172.16.16.16:65.110.36.40 428 items 5554 bytes unknown.sagonet.net
> 172.16.16.16:65.110.36.50 291 items 4549 bytes unknown.sagonet.net
> 172.16.16.16:65.110.41.180 421 items 5462 bytes unknown.sagonet.net
> 172.16.16.16:65.110.41.190 425 items 5270 bytes unknown.sagonet.net
> 172.16.16.16:65.110.41.200 414 items 5496 bytes unknown.sagonet.net
> 172.16.16.16:66.111.33.70 21 items 658 bytes www.celebsmoking.com
> 172.16.16.16:66.111.39.210 99 items 2909 bytes
> 172.16.16.16:66.111.49.120 78 items 2815 bytes
---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------
- Previous message: Jeffrey Denton: "Re: New Rootkit?"
- Next in thread: Joe Stewart: "Re: Proxy attackers/hijackers"
- Reply: Joe Stewart: "Re: Proxy attackers/hijackers"
- Maybe reply: Carey, Steve T GARRISON: "RE: Proxy attackers/hijackers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
