Re: Proxy attackers/hijackers
From: Joe Stewart (jstewart_at_lurhq.com)
Date: 10/17/03
- Previous message: Jeff Kell: "Proxy attackers/hijackers"
- In reply to: Jeff Kell: "Proxy attackers/hijackers"
- Next in thread: Carey, Steve T GARRISON: "RE: Proxy attackers/hijackers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: General DShield Discussion List <list@dshield.org> Date: Fri, 17 Oct 2003 10:15:37 -0400
On Thursday 16 October 2003 11:31 pm, Jeff Kell wrote:
> We had an attempted proxy rape today on a trojanned dorm machine. No
> mail escaped thanks to firewalling but I did track down the culprits
> and the compromised ports (which appear random, they changed when the
> machine was rebooted). Do not have the machine (yet) for forensics
> to see what infected it, but it was providing two proxy ports on
> random ports that change when the machine is rebooted (apparently,
> given the time difference between the pairs of proxy ports below).
If the two proxy ports start at a random port but themselves are
sequential, it could be the Autoproxy trojan. A rash of these was
installed yesterday by a second mass-hack of a large webhosting
provider. Autoproxy can be detected when it attempts to make outbound
HTTP control connections (one is to a CGI script where it reports its
port numbers and stats, the other is to an uninvolved third-party
website for connectivity checking). In these connections it sets its
User-Agent header to "Autoproxy/0.2". The snort signature below will
catch these connections leaving your network and let you know if you
have any infected hosts.
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Autoproxy Trojan
control connection"; flags:A+; content: "|0d 0a 55 73 65 72 2d 41 67 65
6e 74 3a 20 41 75 74 6f 70 72 6f 78 79 2f|";
reference:url,www.lurhq.com/autoproxy.html; classtype:trojan-activity;
sid:1000028; rev:1;)
-Joe
-- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/ --------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_incidents_031015 ----------------------------------------------------------------------------
- Previous message: Jeff Kell: "Proxy attackers/hijackers"
- In reply to: Jeff Kell: "Proxy attackers/hijackers"
- Next in thread: Carey, Steve T GARRISON: "RE: Proxy attackers/hijackers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
