strange activities from lan-box
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: strange activities from lan-box

  1. #1
    Junior Member
    Join Date
    Aug 2001
    Posts
    8

    Question strange activities from lan-box

    goodday friends.

    I noted a strange activity from a deeply inside 'win/98' box, 172.30.48.99 non-routeable addr (asper rfc-1918). It appears like a trojan and sometimes appears as a 'hijacked' machine. Just the facts:

    a) this box was using our secondary smtp server as a relay, sending/receiving packets from 4 or 5 outborder servers (1 inboard, dedicated by brazilian authority as main dns).

    b) I closed down the sendmail server. Few minutes (4~5) later and this box was connected (now, directly smtp-smtp) to the same outerboxes.

    c) now I blocked (Linux ipchains) our gateway, this box was throwed out (default policy DENY, this machine -j DENY in the 3 rulesets, forward, output, input). 5 minutes later and it *again* is connected.. I am still tying to understand on how the ipchains is being circumvented.

    d) I blocked the internet now: -s 0/0 -d 172.30.48.99 -j DENY. It still manages to connect, but isnot hearing the replies. Strangely, it manages to connect to the (sequencialy) boxes once via smtp other via pop3, also changing the ports (all ports > 2000), apparentely in a random manner.

    Any hint??

  2. #2
    Banned
    Join Date
    Oct 2001
    Posts
    1,462
    Hmmm, Well 172.*.*.* is an AOL IP so its probably some AOL'er

  3. #3
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    This sounds like someone is trying to map out your network using a firewalk type method. Check out Firewalk I dunno if thats it, but using this method you can get thru firewalls and map out a network behind it. Read the papers on it and see if that matches what your seeing.

    good luck getting them out.

  4. #4
    Junior Member
    Join Date
    Aug 2001
    Posts
    8
    I surely bad expressed it (the ip number). Our inside-lan box is 172.30.48.99 non-routeable ip-address. It is inside our lan, trying desperately to connect to the outside world.

    tks

  5. #5
    Senior Member
    Join Date
    Apr 2002
    Posts
    634
    This random port selection is not usually a trojan caracteristic. Probably someone using a vulnerability on your system (with Windows :-) ), verify all your patch for win and resident programs.
    Have you found on what ip your computer want to connect? It could be usefull...

    Euh... (I will seem to ask a stupid question) Are you sure you haven't got a soft with a bad config, which do not understand the difference between your lan and the net?!
    Life is boring. Play NetHack... --more--

  6. #6
    Junior Member
    Join Date
    Aug 2001
    Posts
    8
    > This random port selection is not usually a trojan caracteristic.

    yeahh... very strange, indeed. Seems that there are a 'resident evil' in the win-box..

    > Have you found on what ip your computer want to connect? It could be usefull...

    yes, some of them:

    200.241.136.5 --> brazilian
    206.46.170.11 --> US
    202.84.12.157 --> HK (china)
    203.198.136.240 --> HK (china)

    the DNS is not of value (I think), since it is just giving the name-resolution.

    And, at least for my eyes, there are no relationship between these addresses.. :-(

  7. #7
    Senior Member
    Join Date
    Apr 2002
    Posts
    242
    I enjoy reading topics like this.

    Helps me when i may tend to have a problem. =)

    good luck, irado.
    my pages: (great resources for everyone)
    geeksarecool.com resource for computers, hacking, virii, wutnot.
    thepillbox.net archive of logs and resource for laughter.
    --enjoy these pages, as they grow.

  8. #8
    Junior Member
    Join Date
    Aug 2001
    Posts
    8
    yehaa.. :-) me too.

    the 'not told entire history': the main fw/gw (linux) box was compromised twice, in september and in november. It is, just at this moment, being used as a ftp-warez point (suppose), with high activity. I am running like a hell blocking ip-addr, 'cause our high-management thinks that I am seeing ghosts everywhere. Our high manager understands IT like I am a neural-surgeon specialist. :-(.

    I am just searching for other *inner* suspect activities, inorder to sensitise those stupid moron. This machine is the PrimeSuspectz, but there are 2 others, with ftp flow, instead of just smtp/pop. As you can imagine, my manager cannot believe that a fw/gw can be compromised, as our link-supplier (ISP) owns a blackbox named firewall-1. It is impossible to compromise our network (as he says).

  9. #9
    Senior Member
    Join Date
    Apr 2002
    Posts
    712
    Well, what was the box doing? How's it trying to connect out? It was a linux box running DNS? Samba? FTP? You /did/ shut off most default services to the box before connecting it to your network, right? If it's running DNS that's visible externally, my guess is that it was r00ted that way... If you need a DNS server, I'd use something like OpenBSD (if you want to stay with "free" Intel UN*X) and make sure you turn off all unecessary services and sandbox services like DNS/BIND (OpenBSD has options to do this right out of the gate).


    BTW, ac1dsp3ctrum, 172.16.0.0/12 is RFC1918 space (disconnected/non-routeable IP space). Basically any address in 172.16.0.0 to 172.31.255.255 is considered "not connected to the Internet" and any/all ISPs should be blocking such traffic at their border routers as a matter of policy. Generally people use these networks (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) as their internal networks, then use a proxy and/or NAT when traffic's bound for the Internet.
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

  10. #10
    Junior Member
    Join Date
    Aug 2001
    Posts
    8

    >Well, what was the box doing? How's it trying to connect out? It was a linux box running DNS? Samba? FTP? You /did/ shut >off most default services to the box before connecting it to your network, right? If it's running DNS that's visible externally, my >guess is that it was r00ted that way... If you need a DNS server, I'd use something like OpenBSD (if you want to stay with >"free" Intel UN*X) and make sure you turn off all unecessary services and sandbox services like DNS/BIND (OpenBSD has >options to do this right out of the gate).

    the main box is a gw/firewall (<nervous bg>), orinally (when compromised) our main link to the internet with sendmail services. The sendmail was the compromised binaries - I cannot substitute it, btw, as *nothing* is safe now - I just placed a new sendmail bin replacing the compromised one. The mouse bin also was 'strange', besides still acting as mouse driver. Hmm.. it was continuously looking to the sendmail bin and replacing it with the damned one every time. This was hard to detect, at all (mainly due to my inexperience, indeed).

    Now this is out of service - just a gateway to the internet. But the inner machine manages to connect thru smtp/pop to outsiders *and* outborders. I am suspecting of 2 other boxes (still reading acres of log's). Ah, the log's is generated with the IPTRAF tool, since *all* log is disabled since the first attack - I cannot replace the *bin, all stops altogether, think that it is lib-dependent.

    Resume: I am STRONGLY suggesting to replace this piece of cake with an OpenBSD box. But must collect proofs of 'strange activities' to show to some IT-blind people.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •