what compromised these machines ??

Discussion in 'malware problems & news' started by s0ylgr3n, Aug 23, 2009.

Thread Status:
Not open for further replies.
  1. s0ylgr3n

    s0ylgr3n Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    6
    Searching the web for an appropriate forum to post this to.
    I live in an apartment complex that offers free internet provided
    by Time Warner. They set the network up with routers connected
    to the backbone and all the apartment tenants on the other side
    of the router in a private network. That must be a common way
    to do these types of setups. Well, I've been monitoring my firewall
    and message logs and I think I've spotted two compromised machines
    on the private network. I was searching the web and this description
    seems to fit the behavior of the two compromised machines,
    "exploit toolkits to fingerprint the victim's browser, identify the
    right exploits to launch, obfuscate the exploit code, and send it to the target".

    In my logs, the two machines probe port 80 and port 8080 hundreds of times,
    and then probe port 161,3389,5900, and 40080. The ports in question appear
    to all be ports that can be accessed with remote software. My question is,
    "What exploit toolkit would cause these compromised machines to exhibit
    this type of probing behavior on these particular ports??"

    Thanks for your help,
    ~~
     
  2. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    It's worth posting your firewall log as well (or just a short snapshot of the particular problems you see), just to have someone clarify things for you. The long number "161,3389,5900" doesn't look right, as there are 65535 port ranges, it could be an IP instead and you might have written it down incorrectly (check the dots).
     
    Last edited: Aug 23, 2009
  3. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I think he means ports 161 and 3389 and 5900.
     
  4. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Ha Yeah, plurals love em.
     
  5. Bensec

    Bensec Registered Member

    Joined:
    Aug 4, 2008
    Posts:
    177
    Location:
    China Changsha
  6. s0ylgr3n

    s0ylgr3n Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    6
    Thanks for all of the responses.

    I included some snippets of the log. I obfuscated the network.

    Aug 13 17:00:02 [IPTABLES DROP] SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=3389
    Aug 13 17:00:03 [IPTABLES DROP] SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=3389
    Aug 13 17:00:03 [IPTABLES DROP] SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=5900
    Aug 13 17:00:03 [IPTABLES DROP] SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=5900
    Aug 13 17:00:04 [IPTABLES DROP] SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=5900
    Aug 13 17:00:04 [IPTABLES DROP] SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=40080
    Aug 13 17:00:04 [IPTABLES DROP] SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=40080
    Aug 13 17:00:05 [IPTABLES DROP] SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=40080

    Aug 13 16:58:43 [IPTABLES DROP] SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=UDP SPT=54311 DPT=161
    Aug 13 16:58:46 [IPTABLES DROP] SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=UDP SPT=54311 DPT=161
    Aug 19 14:50:24 [IPTABLES DROP] SRC=XXX.XX.105.239 DST=XXX.XX.104.167 PROTO=UDP SPT=59021 DPT=161
    Aug 19 14:50:27 [IPTABLES DROP] SRC=XXX.XX.105.239 DST=XXX.XX.104.167 PROTO=UDP SPT=59021 DPT=161

    Aug 13 16:58:43 SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56755 DPT=80
    Aug 13 16:59:18 SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=80
    Aug 13 16:59:18 SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=80
    Aug 13 16:59:19 SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=80
    Aug 13 16:59:19 SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=8080
    Aug 13 16:59:19 SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=8080
    Aug 13 16:59:20 SRC=XXX.XX.104.112 DST=XXX.XX.104.167 PROTO=TCP SPT=56775 DPT=8080

    I'm still hoping to find the answer to my original question, "What exploit toolkit would cause these compromised machines to exhibit this type of probing behavior on these particular ports??"

    Thanks,
    ~~
     
  7. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    I think you received one possible answer given by Bensec.

    You "X"d out the IP`s. If this is a private network then it is unnecessary to have done that as they are reserved and un-routable.
     
  8. s0ylgr3n

    s0ylgr3n Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    6
  9. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Both are possible.
    However in my view its more likely to be a cisco thing.

    Its not easy to separate the hype from reality when it comes to malware rates.
     
  10. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Maybe time to do some probing with Superscan or NMAP and maybe Wireshark.

    These tools should be able to help you to rule out Cisco or botnet/malware.
     
  11. s0ylgr3n

    s0ylgr3n Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    6
    I could probably capture the packets with nc (netcat) but at this point I'm not really motivated.
    I still would have research where to submit the packets for analysis and get an idea of the
    turnaround time.
    I would use snort if I had an up to date ruleset. The probes are too random to use
    Wireshark. Haven't considered using Nmap ... I'll have to check how to set that up
    to capture packets.

    I found some more information here, but I'm just speculating whether this could be it or not
    because no one will say what ports the RPC mechanism is using.

    http://www.viruslist.com/en/viruses/encyclopedia?virusid=21782733

    "Network spreading
    When infecting a computer, the worm launches an HTTP server on a random TCP port. This
    is then used to load the worm’s executable file to other computers.
    The worm gets the IP addresses of computers in the same network as the victim machine and attacks
    them via a buffer overrun vulnerability (MS08-067) in the Server service. (More details about
    this vulnerability can be found on the Microsoft site: www.microsoft.com).
    The worm sends a specially crafted RPC request to remote machines, which causes a
    buffer overrun when the wcscpy_s function is called in netapi32.dll. This launches
    code which downloads the worm file, launches and installs it on the new victim machine.
    In order to exploit the vulnerability described above, the worm attempts to connect to the Administrator
    account on the remote machine. The worm uses the following passwords to brute force
    the account: blah,blah,blah,etc, ...."

    Thanks for all of your help,
    ~~
     
  12. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Is this your set up?

    Your Computer-->Router-->Appartments Computers-->ISP Router

    nmap is a scanning tool for finding open ports for vulnerability scanning.
    -sT is the quiet option.

    You could, with nmap, scan the apartment network to determine open ports and OS's for those computers. You might be able to determine what exploits are running by which ports are open.
    Then their is Nessus, a 2 part program. The client and server, which can be on a single computer, for vulnerability assessment.
    This will tell you what is exploitable, helping you to narrow down the possibly infected systems.

    With wireshark you could save the file and replay on loopback; other programs, like urlsnarf, checking for available info.
     
  13. s0ylgr3n

    s0ylgr3n Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    6
    > Is this your set up?

    > Your Computer-->Router-->Appartments Computers-->ISP Router

    It's their setup (Time Warner) and it's:

    s0ylgr3n Computer-->(Time Warner Router)-->(Time Warner Hub/Backbone/Whatever/IP Address visible to the rest of the Internet)
    --------------------------->(^Non-User Accessible -- It's the RJ45 Wall Jack)

    > You could, with nmap, scan the apartment network ...

    No, I just want to answer my original question. I check my own boxes with Nmap and Nessus.

    I see no point in checking boxes I'm not authorized to check. Actions like that can be
    misinterpreted by the network owners.

    Wireshark is a resource hog and reads all network traffic. I would rather setup nc
    (netcat) to receive the connection on the IP address and port in question and then
    run snort in conjunction with nc to capture the packets. But I can only interpret
    a small amount of data from the raw packet, I'm not a packet expert. So before I
    do anything more I have to research where I can get packet analysis done.

    Thanks for all of your help,
    ~~
     
  14. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    I know what you need...Reversasploit.

    Reversasploit will take port scanning and mapping information, from nmap nessus saint, crossreference it against Metasploit tools, libraries, modules to automagically determine what exploits are running on a compromised machine. Coming in 201*'.

    ;):D
     
  15. s0ylgr3n

    s0ylgr3n Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    6
    Thanks for the suggestion.

    I might be more successful if my question caught the
    interest of one of the handlers at sans.org.
    http://isc.sans.org/

    At this time I'm going to consider my original question
    unanswerable and the thread closed. There are several
    things at issue.

    After capturing the packets with nc and snort, I would
    have to interpret the packets, dissassemble the underlying
    code with a tool like Ollydbg or similar tool,
    http://securitylabs.websense.com/content/Blogs/2721.aspx
    http://isc.sans.org/diary.html?storyid=1801

    ~ Links to Possible Malware Removed ~

    and then perform the malware analysis. I do not possess the
    knowledge, skill, or ability to accomplish this process.

    So I'm out of luck, unless somebody from sans.org sees
    this post and shows an interest in the original question.

    Thanks for all of your help,
    ~~
     
    Last edited by a moderator: Aug 30, 2009
Loading...
Thread Status:
Not open for further replies.