Strange network activity

**Roach4** · April 16th, 2004, 03:39 PM

Hi,

Yesterday we noticed some strange traffic from some internal machines
trying to contact Japan IP addresses on the port 54875 like 300 times a
second. We left the office without worrying too much and we came back this
morning to see that there was external Japan IP addresses which was
querying internal machines for the RPC vulnerability.

This kind of activity has now spread in various sites (worldwide) of our
company.

Here is a log sample from one of our router:

tcp xxx.xxx.xxx.xxx:4364 10.136.11.218:4364 133.41.133.109:54875
133.41.133.109:54875
tcp xxx.xxx.xxx.xxx:4365 10.136.11.218:4365 133.41.133.109:54875
133.41.133.109:54875
tcp xxx.xxx.xxx.xxx:4366 10.136.11.218:4366 133.41.133.109:54875
133.41.133.109:54875
tcp xxx.xxx.xxx.xxx:4368 10.136.11.218:4368 133.41.133.109:54875
133.41.133.109:54875
tcp xxx.xxx.xxx.xxx:4369 10.136.11.218:4369 133.41.133.109:54875
133.41.133.109:54875
tcp xxx.xxx.xxx.xxx:4370 10.136.11.218:4370 133.41.133.109:54875
133.41.133.109:54875

This IP address resolves to whyme.geol.sci.hiroshima-u.ac.jp

Now, trying to connect to this ip address on the port 80 you get to the
Department of Earth and Planetary Systems Science Graduate School of
Science
at Hiroshima University webpage ... trying to connect to 133.41.133.109 on
the port 6667 it gets to an IRC server: irc.foonet.com. But the MOTD is
stating this:
*** Welcome to the ROXnet IRC Network
Also, *** There are 41 users and 864 invisible on 1 servers.
I did a /list and I get only two channels. On #R0S3s there are a couple of
bots that doesn't look like something legitimate.

That is kinda strange, isn't? Anyways, do any of you have an idea of what
is going on? Which virus is it?

Thanks,

Roach4

***phishphreek*** · April 16th, 2004, 04:28 PM

133.41.133.109:54875

That is an irc server.

If its connecting to a IRC server, my first guess would be virus/trojan.

There are 41 users and 864 invisible on 1 servers.

Setting up zombies to launch further attacks? or, for a DDoS?

Any chance you can show some captured traffic from one of those hosts?

Any chance you can show us info on processes, ports, connections, etc. from one of the hosts connecting?
Are the connections sucessful? Or, have you blocked them?

That is kinda strange, isn't? Anyways, do any of you have an idea of what
is going on? Which virus is it?

Need a bit more info about the hosts. Have you scanned a host?

Do you have updated AV on the host(s)?

04/16/04 11:28:32 IP block 133.41.133.109
Trying 133.41.133.109 at ARIN
Trying 133.41.133 at ARIN

OrgName: Japan Network Information Center
OrgID: JNIC
Address: Kokusai-kougyou-Kanda Bldg 6F
Address: 2-3-4 Uchikanda
City: Chiyoda-ku
StateProv: Tokyo
PostalCode: 101-0047
Country: JP

NetRange: 133.0.0.0 - 133.255.255.255
CIDR: 133.0.0.0/8
NetName: JAPAN-INET
NetHandle: NET-133-0-0-0-1
Parent:
NetType: Direct Allocation
NameServer: A.DNS.JP
NameServer: B.DNS.JP
NameServer: C.DNS.JP
NameServer: D.DNS.JP
NameServer: E.DNS.JP
NameServer: F.DNS.JP
Comment: Japan Network Information Center(JPNIC) is an
Comment: National internet registry of Japan. Please search
Comment: whois.nic.ad.jp for more information about this range.
Comment: % whois -h whois.nic.ad.jp ***.***.***.***/e
RegDate:
Updated: 2003-08-05

TechHandle: JN-ORG-ARIN
TechName: Japan Network Information Center
TechPhone: +81-3-5297-2311
TechEmail: hostmaster@nic.ad.jp

OrgTechHandle: JN-ORG-ARIN
OrgTechName: Japan Network Information Center
OrgTechPhone: +81-3-5297-2311
OrgTechEmail: hostmaster@nic.ad.jp

# ARIN WHOIS database, last updated 2004-04-15 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

You may want to contact the hostmaster or webmaster

webmaster@geol.sci.hiroshima-u.ac.jp
hostmaster@nic.ad.jp

**dopeydadwarf** · April 16th, 2004, 07:10 PM

You may want to contact the hostmaster or webmaster

EXACLTY!!!

**ali1** · April 16th, 2004, 10:53 PM

do you have a firewall...anti virus..and/or anti trojan program?it looks like some university student tried to hack into your computers through some kind of trojan..however could be a virus too..why don't you just scan your computer for viruses using an up to date anti virus..and later with some anti trojan?if you don't have an anti virus that is up to date then you could scan your computer online..there are many free online scans available.If you want an anti trojan then check out this website out:
http://www.lockdown2000.com/
i haven't tried any of their software but i heard somewhere that its good.

**ali1** · April 16th, 2004, 11:06 PM

i just came across this at symantec's website:
http://securityresponse.symantec.com...c.zcrew.c.html
could this be the trojan you're infected with?

**stitch_n_milo** · April 22nd, 2004, 06:51 PM

scan for trojan. update ur anti virus & firewall.

***The Duck*** · April 22nd, 2004, 08:03 PM

Im not sure, but if this hacker is trying to hack using a trojan, then how would it try to connect 300 times a second? I think its a little deaper then simply updating software.

**rwarren** · April 23rd, 2004, 01:06 AM

does your company use a proxy server to access the internet. i was thinking that maybe all those scans can be from a trogen/virus to scan the enire block of your network...

just a thought.....

***Tedob1*** · April 23rd, 2004, 02:12 AM

im sure that server in jp is owned as well. but right now i wouldn't worry about who just get those machine offline and cleaned.

**cybersamurai** · April 23rd, 2004, 12:53 PM

if this was an attack(attempted or executed)i'd really like know how they pulled it off right under your nose(sorry to say). more info please

Thread: Strange network activity

Thread Tools

Display

Strange network activity

Posting Permissions