strange activities from lan-box

[irado]

goodday friends.

I noted a strange activity from a deeply inside 'win/98' box, 172.30.48.99 non-routeable addr (asper rfc-1918). It appears like a trojan and sometimes appears as a 'hijacked' machine. Just the facts:

a) this box was using our secondary smtp server as a relay, sending/receiving packets from 4 or 5 outborder servers (1 inboard, dedicated by brazilian authority as main dns).

b) I closed down the sendmail server. Few minutes (4~5) later and this box was connected (now, directly smtp-smtp) to the same outerboxes.

c) now I blocked (Linux ipchains) our gateway, this box was throwed out (default policy DENY, this machine -j DENY in the 3 rulesets, forward, output, input). 5 minutes later and it *again* is connected.. I am still tying to understand on how the ipchains is being circumvented.

d) I blocked the internet now: -s 0/0 -d 172.30.48.99 -j DENY. It still manages to connect, but isnot hearing the replies. Strangely, it manages to connect to the (sequencialy) boxes once via smtp other via pop3, also changing the ports (all ports > 2000), apparentely in a random manner.

Any hint??

[ac1dsp3ctrum]

Hmmm, Well 172.*.*.* is an AOL IP so its probably some AOL'er

[xmaddness]

This sounds like someone is trying to map out your network using a firewalk type method. Check out Firewalk I dunno if thats it, but using this method you can get thru firewalls and map out a network behind it. Read the papers on it and see if that matches what your seeing.

good luck getting them out.

[irado]

I surely bad expressed it (the ip number). Our inside-lan box is 172.30.48.99 non-routeable ip-address. It is inside our lan, trying desperately to connect to the outside world.

tks

[KissCool]

This random port selection is not usually a trojan caracteristic. Probably someone using a vulnerability on your system (with Windows :-) ), verify all your patch for win and resident programs.
Have you found on what ip your computer want to connect? It could be usefull...

Euh... (I will seem to ask a stupid question) Are you sure you haven't got a soft with a bad config, which do not understand the difference between your lan and the net?!

[irado]

> This random port selection is not usually a trojan caracteristic.

yeahh... very strange, indeed. Seems that there are a 'resident evil' in the win-box..

> Have you found on what ip your computer want to connect? It could be usefull...

yes, some of them:

200.241.136.5 --> brazilian
206.46.170.11 --> US
202.84.12.157 --> HK (china)
203.198.136.240 --> HK (china)

the DNS is not of value (I think), since it is just giving the name-resolution.

And, at least for my eyes, there are no relationship between these addresses.. :-(

[fr0z3n]

I enjoy reading topics like this.

Helps me when i may tend to have a problem. =)

good luck, irado.

[irado]

yehaa.. :-) me too.

the 'not told entire history': the main fw/gw (linux) box was compromised twice, in september and in november. It is, just at this moment, being used as a ftp-warez point (suppose), with high activity. I am running like a hell blocking ip-addr, 'cause our high-management thinks that I am seeing ghosts everywhere. Our high manager understands IT like I am a neural-surgeon specialist. :-(.

I am just searching for other *inner* suspect activities, inorder to sensitise those stupid moron. This machine is the PrimeSuspectz, but there are 2 others, with ftp flow, instead of just smtp/pop. As you can imagine, my manager cannot believe that a fw/gw can be compromised, as our link-supplier (ISP) owns a blackbox named firewall-1. It is impossible to compromise our network (as he says).

[draziw]

Well, what was the box doing? How's it trying to connect out? It was a linux box running DNS? Samba? FTP? You /did/ shut off most default services to the box before connecting it to your network, right? If it's running DNS that's visible externally, my guess is that it was r00ted that way... If you need a DNS server, I'd use something like OpenBSD (if you want to stay with "free" Intel UN*X) and make sure you turn off all unecessary services and sandbox services like DNS/BIND (OpenBSD has options to do this right out of the gate).


BTW, ac1dsp3ctrum, 172.16.0.0/12 is RFC1918 space (disconnected/non-routeable IP space). Basically any address in 172.16.0.0 to 172.31.255.255 is considered "not connected to the Internet" and any/all ISPs should be blocking such traffic at their border routers as a matter of policy. Generally people use these networks (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) as their internal networks, then use a proxy and/or NAT when traffic's bound for the Internet.

[irado]

>Well, what was the box doing? How's it trying to connect out? It was a linux box running DNS? Samba? FTP? You /did/ shut >off most default services to the box before connecting it to your network, right? If it's running DNS that's visible externally, my >guess is that it was r00ted that way... If you need a DNS server, I'd use something like OpenBSD (if you want to stay with >"free" Intel UN*X) and make sure you turn off all unecessary services and sandbox services like DNS/BIND (OpenBSD has >options to do this right out of the gate).

the main box is a gw/firewall (<nervous bg>), orinally (when compromised) our main link to the internet with sendmail services. The sendmail was the compromised binaries - I cannot substitute it, btw, as *nothing* is safe now - I just placed a new sendmail bin replacing the compromised one. The mouse bin also was 'strange', besides still acting as mouse driver. Hmm.. it was continuously looking to the sendmail bin and replacing it with the damned one every time. This was hard to detect, at all (mainly due to my inexperience, indeed).

Now this is out of service - just a gateway to the internet. But the inner machine manages to connect thru smtp/pop to outsiders *and* outborders. I am suspecting of 2 other boxes (still reading acres of log's). Ah, the log's is generated with the IPTRAF tool, since *all* log is disabled since the first attack - I cannot replace the *bin, all stops altogether, think that it is lib-dependent.

Resume: I am STRONGLY suggesting to replace this piece of cake with an OpenBSD box. But must collect proofs of 'strange activities' to show to some IT-blind people.