Strange network activity
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Strange network activity

  1. #1
    Junior Member
    Join Date
    Jan 2004
    Posts
    11

    Strange network activity

    Hi,

    Yesterday we noticed some strange traffic from some internal machines
    trying to contact Japan IP addresses on the port 54875 like 300 times a
    second. We left the office without worrying too much and we came back this
    morning to see that there was external Japan IP addresses which was
    querying internal machines for the RPC vulnerability.

    This kind of activity has now spread in various sites (worldwide) of our
    company.

    Here is a log sample from one of our router:

    tcp xxx.xxx.xxx.xxx:4364 10.136.11.218:4364 133.41.133.109:54875
    133.41.133.109:54875
    tcp xxx.xxx.xxx.xxx:4365 10.136.11.218:4365 133.41.133.109:54875
    133.41.133.109:54875
    tcp xxx.xxx.xxx.xxx:4366 10.136.11.218:4366 133.41.133.109:54875
    133.41.133.109:54875
    tcp xxx.xxx.xxx.xxx:4368 10.136.11.218:4368 133.41.133.109:54875
    133.41.133.109:54875
    tcp xxx.xxx.xxx.xxx:4369 10.136.11.218:4369 133.41.133.109:54875
    133.41.133.109:54875
    tcp xxx.xxx.xxx.xxx:4370 10.136.11.218:4370 133.41.133.109:54875
    133.41.133.109:54875

    This IP address resolves to whyme.geol.sci.hiroshima-u.ac.jp

    Now, trying to connect to this ip address on the port 80 you get to the
    Department of Earth and Planetary Systems Science Graduate School of
    Science
    at Hiroshima University webpage ... trying to connect to 133.41.133.109 on
    the port 6667 it gets to an IRC server: irc.foonet.com. But the MOTD is
    stating this:
    *** Welcome to the ROXnet IRC Network
    Also, *** There are 41 users and 864 invisible on 1 servers.
    I did a /list and I get only two channels. On #R0S3s there are a couple of
    bots that doesn't look like something legitimate.


    That is kinda strange, isn't? Anyways, do any of you have an idea of what
    is going on? Which virus is it?


    Thanks,

    Roach4

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    133.41.133.109:54875

    That is an irc server.

    If its connecting to a IRC server, my first guess would be virus/trojan.
    There are 41 users and 864 invisible on 1 servers.
    Setting up zombies to launch further attacks? or, for a DDoS?

    Any chance you can show some captured traffic from one of those hosts?

    Any chance you can show us info on processes, ports, connections, etc. from one of the hosts connecting?
    Are the connections sucessful? Or, have you blocked them?

    That is kinda strange, isn't? Anyways, do any of you have an idea of what
    is going on? Which virus is it?
    Need a bit more info about the hosts. Have you scanned a host?

    Do you have updated AV on the host(s)?

    04/16/04 11:28:32 IP block 133.41.133.109
    Trying 133.41.133.109 at ARIN
    Trying 133.41.133 at ARIN

    OrgName: Japan Network Information Center
    OrgID: JNIC
    Address: Kokusai-kougyou-Kanda Bldg 6F
    Address: 2-3-4 Uchikanda
    City: Chiyoda-ku
    StateProv: Tokyo
    PostalCode: 101-0047
    Country: JP

    NetRange: 133.0.0.0 - 133.255.255.255
    CIDR: 133.0.0.0/8
    NetName: JAPAN-INET
    NetHandle: NET-133-0-0-0-1
    Parent:
    NetType: Direct Allocation
    NameServer: A.DNS.JP
    NameServer: B.DNS.JP
    NameServer: C.DNS.JP
    NameServer: D.DNS.JP
    NameServer: E.DNS.JP
    NameServer: F.DNS.JP
    Comment: Japan Network Information Center(JPNIC) is an
    Comment: National internet registry of Japan. Please search
    Comment: whois.nic.ad.jp for more information about this range.
    Comment: % whois -h whois.nic.ad.jp ***.***.***.***/e
    RegDate:
    Updated: 2003-08-05

    TechHandle: JN-ORG-ARIN
    TechName: Japan Network Information Center
    TechPhone: +81-3-5297-2311
    TechEmail: hostmaster@nic.ad.jp

    OrgTechHandle: JN-ORG-ARIN
    OrgTechName: Japan Network Information Center
    OrgTechPhone: +81-3-5297-2311
    OrgTechEmail: hostmaster@nic.ad.jp

    # ARIN WHOIS database, last updated 2004-04-15 19:15
    # Enter ? for additional hints on searching ARIN's WHOIS database.
    You may want to contact the hostmaster or webmaster

    webmaster@geol.sci.hiroshima-u.ac.jp
    hostmaster@nic.ad.jp
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    AO Part Timer
    Join Date
    Feb 2003
    Posts
    332
    You may want to contact the hostmaster or webmaster

    EXACLTY!!!
    Your heart was talking, not your mind.
    -Tiger Shark

  4. #4
    Banned
    Join Date
    Dec 2003
    Posts
    138
    do you have a firewall...anti virus..and/or anti trojan program?it looks like some university student tried to hack into your computers through some kind of trojan..however could be a virus too..why don't you just scan your computer for viruses using an up to date anti virus..and later with some anti trojan?if you don't have an anti virus that is up to date then you could scan your computer online..there are many free online scans available.If you want an anti trojan then check out this website out:
    http://www.lockdown2000.com/
    i haven't tried any of their software but i heard somewhere that its good.

  5. #5
    Banned
    Join Date
    Dec 2003
    Posts
    138
    i just came across this at symantec's website:
    http://securityresponse.symantec.com...c.zcrew.c.html
    could this be the trojan you're infected with?

  6. #6
    Junior Member
    Join Date
    Apr 2004
    Posts
    1
    scan for trojan. update ur anti virus & firewall.
    Nothing is Impossible

  7. #7
    AFLAAACKKK!!
    Join Date
    Apr 2004
    Posts
    1,065
    Im not sure, but if this hacker is trying to hack using a trojan, then how would it try to connect 300 times a second? I think its a little deaper then simply updating software.
    I am the uber duck!!1
    Proxy Tools

  8. #8
    Banned
    Join Date
    Feb 2004
    Posts
    53
    does your company use a proxy server to access the internet. i was thinking that maybe all those scans can be from a trogen/virus to scan the enire block of your network...

    just a thought.....

  9. #9
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    im sure that server in jp is owned as well. but right now i wouldn't worry about who just get those machine offline and cleaned.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  10. #10
    Junior Member cybersamurai's Avatar
    Join Date
    Apr 2004
    Location
    At tha beach!
    Posts
    25
    if this was an attack(attempted or executed)i'd really like know how they pulled it off right under your nose(sorry to say). more info please
    see the sarcasim in my smile ????

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides