what compromised these machines ??

Searching the web for an appropriate forum to post this to.
I live in an apartment complex that offers free internet provided
by Time Warner. They set the network up with routers connected
to the backbone and all the apartment tenants on the other side
of the router in a private network. That must be a common way
to do these types of setups. Well, I've been monitoring my firewall
and message logs and I think I've spotted two compromised machines
on the private network. I was searching the web and this description
seems to fit the behavior of the two compromised machines,
"exploit toolkits to fingerprint the victim's browser, identify the
right exploits to launch, obfuscate the exploit code, and send it to the target".

In my logs, the two machines probe port 80 and port 8080 hundreds of times,
and then probe port 161,3389,5900, and 40080. The ports in question appear
to all be ports that can be accessed with remote software. My question is,
"What exploit toolkit would cause these compromised machines to exhibit
this type of probing behavior on these particular ports??"

Thanks for your help,
~~

 

It's worth posting your firewall log as well (or just a short snapshot of the particular problems you see), just to have someone clarify things for you. The long number "161,3389,5900" doesn't look right, as there are 65535 port ranges, it could be an IP instead and you might have written it down incorrectly (check the dots).

 

I think he means ports 161 and 3389 and 5900.

 

Ha Yeah, plurals love em.

 

hi, just googled a few numbers for you. These are ports used by some cisco management service/clients.

check it here:
http://www.cisco.com/en/US/docs/voi...rprise/port_utilization_icm/guide/ipcpt71.pdf

 

Thanks for all of the responses.

I included some snippets of the log. I obfuscated the network.

Aug 13 17:00:02 [IPTABLES DROP] SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=3389
Aug 13 17:00:03 [IPTABLES DROP] SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=3389
Aug 13 17:00:03 [IPTABLES DROP] SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=5900
Aug 13 17:00:03 [IPTABLES DROP] SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=5900
Aug 13 17:00:04 [IPTABLES DROP] SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=5900
Aug 13 17:00:04 [IPTABLES DROP] SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=40080
Aug 13 17:00:04 [IPTABLES DROP] SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=40080
Aug 13 17:00:05 [IPTABLES DROP] SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=40080

Aug 13 16:58:43 [IPTABLES DROP] SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=UDP SPT=54311 DPT=161
Aug 13 16:58:46 [IPTABLES DROP] SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=UDP SPT=54311 DPT=161
Aug 19 14:50:24 [IPTABLES DROP] SRC=XXX.XX.105.239 DST=XXX.XX.104.167 PROTO=UDP SPT=59021 DPT=161
Aug 19 14:50:27 [IPTABLES DROP] SRC=XXX.XX.105.239 DST=XXX.XX.104.167 PROTO=UDP SPT=59021 DPT=161

Aug 13 16:58:43 SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56755 DPT=80
Aug 13 16:59:18 SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=80
Aug 13 16:59:18 SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=80
Aug 13 16:59:19 SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=80
Aug 13 16:59:19 SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=8080
Aug 13 16:59:19 SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=8080
Aug 13 16:59:20 SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=8080

I'm still hoping to find the answer to my original question, "What exploit toolkit would cause these compromised machines to exhibit this type of probing behavior on these particular ports??"

Thanks,
~~

 

I think you received one possible answer given by Bensec.

You "X"d out the IP`s. If this is a private network then it is unnecessary to have done that as they are reserved and un-routable.

 

Thanks for information. I think it is more related to something like this:
http://www.cs.ucsb.edu/~marco/blog/2009/04/yes-exploit-toolkit.html
but I'm unable to find any additional information at this time.

Thanks for all of your help,
~~

 

Both are possible.
However in my view its more likely to be a cisco thing.

Its not easy to separate the hype from reality when it comes to malware rates.

 

Maybe time to do some probing with Superscan or NMAP and maybe Wireshark.

These tools should be able to help you to rule out Cisco or botnet/malware.

 

I could probably capture the packets with nc (netcat) but at this point I'm not really motivated.
I still would have research where to submit the packets for analysis and get an idea of the
turnaround time.
I would use snort if I had an up to date ruleset. The probes are too random to use
Wireshark. Haven't considered using Nmap ... I'll have to check how to set that up
to capture packets.

I found some more information here, but I'm just speculating whether this could be it or not
because no one will say what ports the RPC mechanism is using.

http://www.viruslist.com/en/viruses/encyclopedia?virusid=21782733

"Network spreading
When infecting a computer, the worm launches an HTTP server on a random TCP port. This
is then used to load the worm’s executable file to other computers.
The worm gets the IP addresses of computers in the same network as the victim machine and attacks
them via a buffer overrun vulnerability (MS08-067) in the Server service. (More details about
this vulnerability can be found on the Microsoft site: www.microsoft.com).
The worm sends a specially crafted RPC request to remote machines, which causes a
buffer overrun when the wcscpy_s function is called in netapi32.dll. This launches
code which downloads the worm file, launches and installs it on the new victim machine.
In order to exploit the vulnerability described above, the worm attempts to connect to the Administrator
account on the remote machine. The worm uses the following passwords to brute force
the account: blah,blah,blah,etc, ...."

Thanks for all of your help,
~~

 

Is this your set up?

Your Computer-->Router-->Appartments Computers-->ISP Router

nmap is a scanning tool for finding open ports for vulnerability scanning.
-sT is the quiet option.

You could, with nmap, scan the apartment network to determine open ports and OS's for those computers. You might be able to determine what exploits are running by which ports are open.
Then their is Nessus, a 2 part program. The client and server, which can be on a single computer, for vulnerability assessment.
This will tell you what is exploitable, helping you to narrow down the possibly infected systems.

With wireshark you could save the file and replay on loopback; other programs, like urlsnarf, checking for available info.

 

> Is this your set up?

> Your Computer-->Router-->Appartments Computers-->ISP Router

It's their setup (Time Warner) and it's:

s0ylgr3n Computer-->(Time Warner Router)-->(Time Warner Hub/Backbone/Whatever/IP Address visible to the rest of the Internet)
--------------------------->(^Non-User Accessible -- It's the RJ45 Wall Jack)

> You could, with nmap, scan the apartment network ...

No, I just want to answer my original question. I check my own boxes with Nmap and Nessus.

I see no point in checking boxes I'm not authorized to check. Actions like that can be
misinterpreted by the network owners.

Wireshark is a resource hog and reads all network traffic. I would rather setup nc
(netcat) to receive the connection on the IP address and port in question and then
run snort in conjunction with nc to capture the packets. But I can only interpret
a small amount of data from the raw packet, I'm not a packet expert. So before I
do anything more I have to research where I can get packet analysis done.

Thanks for all of your help,
~~

 

I know what you need...Reversasploit.

Reversasploit will take port scanning and mapping information, from nmap nessus saint, crossreference it against Metasploit tools, libraries, modules to automagically determine what exploits are running on a compromised machine. Coming in 201*'.

 

Thanks for the suggestion.

I might be more successful if my question caught the
interest of one of the handlers at sans.org.
http://isc.sans.org/

At this time I'm going to consider my original question
unanswerable and the thread closed. There are several
things at issue.

After capturing the packets with nc and snort, I would
have to interpret the packets, dissassemble the underlying
code with a tool like Ollydbg or similar tool,
http://securitylabs.websense.com/content/Blogs/2721.aspx
http://isc.sans.org/diary.html?storyid=1801

~ Links to Possible Malware Removed ~

and then perform the malware analysis. I do not possess the
knowledge, skill, or ability to accomplish this process.

So I'm out of luck, unless somebody from sans.org sees
this post and shows an interest in the original question.

Thanks for all of your help,
~~