|
-
November 23rd, 2004, 11:51 PM
#1
Internet Survival Time Analysis (Long)
This is my commented notes from a cursory examination of the logs I created. Ms. M asked about it and I thought it might be fun...
Not wanting to put up a full blown honeypot at this point, (it's my work connection  ) I found WormRadar, (www.wormradar.com). It allows you to emulate a couple of services, (IIS, FTP, Telnet), for a brief period before it cuts the connection with a FIN allowing such things as a login to the FTP server as anonymous or to see what the GET/Head etc. request is on HTTP. It then allows listening on a user defined series of ports both TCP and UDP. On these ports WormRadar seems to accept any data sent. It's an interesting little toy but the docs etc. on it's site are sadly lacking so you need to experiment to find out what it does. It takes captures and dumps them as Ethereal captures but the version is old and the most recent version of Ethereal sees the captures as being cut off in the middle of the packet. I get around this by running Ethereal in non-promiscuous mode in tandem with the WormRadar.
Bear in mind, in many cases my box accepts the connection, let's it go on the built in configured ports for a short while depending upon interactivity available and then sends a FIN to simply close the connection. It's interesting to note that some connections issue an RST to the FIN while others tear the connection down appropriately.
[Notes]
File: 11-17-04
Size: 37kb before cleanup 9kb after cleanup
Duration: 11-16-04 16:48 EST - 11-17-04 08:04 (16 hours)
Machine State: All ports closed
Connecting machines:-
2004-11-16 17:48:13 cras75p1.navix.net ICMP Echo Request
2004-11-16 19:05:34.549532 205.78.56.72 Messenger Spam
2004-11-16 19:15:53.114948 syr-24-59-222-187.twcny.rr.com Port(s) 4899, (RAdmin Backdoor)
2004-11-16 21:21:52.571062 AC8358A0.ipt.aol.com Port(s) 3127, (MyDoom/AgoBot)
2004-11-16 21:33:23.832544 220.112.46.149 Port(s) 4899, (RAdmin Backdoor)
2004-11-16 21:52:56.353857 value.yam.com http > 48159 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0 (Scan)
2004-11-16 23:56:42.097349 220-132-134-40.hinet-ip.hinet.net Laptop.jvsdet.org Port(s) 80, (http)
2004-11-17 01:53:46.046246 dsl-134.sarnia.xcelco.on.ca Port(s) 1025, (MSRPC)
2004-11-17 02:52:50.887391 211.144.125.207 ICMP Echo Request followed by Port(s) 57, (privterm), 1433, (ms-sql-s) (the port 57 often seems to proceed the 1433)
2004-11-17 04:28:30.268062 cras75p28.navix.net Port(s) Auth, (returned from 10 hours previously.... Not automated, this is a person?)
2004-11-17 06:48:51.461069 218.62.8.122 Port(s) 31138, (RST ACK) (unknown port with odd flags... Scan?)
2004-11-17 07:39:28.285469 221.146.1.9 Port(s) 5554, (Sasser FTP), 1023, (Sasser.e FTP), 9898, (Dabber TFTP), Automated tool?
2004-11-17 07:42:04.436364 i60-36-31-20.s04.a014.ap.plala.or.jp Port(s) 5554, (Sasser FTP), 1023, (Sasser.e FTP), 9898, (Dabber TFTP), Automated tool?
2004-11-17 07:42:12.252212 zs146054.ppp.dion.ne.jp Port(s) 5554, (Sasser FTP), 1023, (Sasser.e FTP), 9898, (Dabber TFTP), Automated tool?
2004-11-17 07:42:32.430278 203.234.166.107 Port(s) 5554, (Sasser FTP), 1023, (Sasser.e FTP), 9898, (Dabber TFTP), Automated tool?
2004-11-17 07:43:15.566356 220.70.99.116 Port(s) 5554, (Sasser FTP), 1023, (Sasser.e FTP), 9898, (Dabber TFTP), Automated tool?
At this point all ports on this box were closed so everything was responsed to with RST ACK except the unsolicited RST ACK packets which received no answer per RFC.
The last 5 entries are regular as clockwork. I see them in my firewall logs every morning at about 07:00-08:00 EST. It has to be some sort of worm but it's morning activity, usually from Japan implies that an event triggers the activity though it isn't scheduled because the times vary by a little each morning, (up to 30 minutes either side of 07:30). Oddly enough it would be around 21:00 local time in Tokyo when they occur, (neither the beginning or the end of a work day).
File: 11-22-04 (Captured the entire weekend)
Size: 340kb before cleanup 304kb after cleanup
Duration: 11-19-04 15:36 EST - 11-22-04 07:48 EST (64.5 hours)
Machine State: Listening (the fun begins)
Connecting machines:-
2004-11-19 19:41:06.083930 211.225.252.58 Port(s) 25 (SMTP) - here come the spammers china9988@21cn.com, (I have seen this address for 2 years trying for open relays)
2004-11-19 19:43:20.918324 doc-24-206-177-67.kw.tx.cebridge.net Port(s) 1433 (ms-sql-s) Sends SYN then FIN ACK in response to SYN ACK, (reconnaisance)
2004-11-19 19:50:49.914647 82.52.159.13 Port(s) 3127, (MyDoom/AgoBot) Opens connection and uploads a complete executable. Interestingly is doesn't tear down the connection as normal it just sends an RST.
2004-11-19 20:14:53.429964 205.122.28.10 Port(s) 21 (FTP) Just sent a SYN and moved on after the SYN ACK, half open or stealth scan for open FTP servers.
2004-11-20 01:36:20.191575 cras75p28.navix.net ICMP Echo Request - This IP did the same on 11/16 - It may be innocuous network noise
2004-11-20 03:08:41.245974 cpe0040ca4e898a-cm014500117663.cpe.net.cable.rogers.com Port(s) 5554 (Search for Sasser FTP), 9898 (Search for Dabber TFTP) - Scan only RST sent on receipt of SYN ACK
2004-11-20 05:47:49.282859 tc222-156-14-212.adsl.dynamic.apol.com.tw Port(s) 25 - Spammer again, this time 84trdyfytf9746505@ms69.hinet.net
2004-11-20 06:05:36.299941 dwby.k12.mn.us Port(s) 1433 (ms-sql-s) Made a complete connection then tore it down immediately. Different from second packet in this capture.
2004-11-20 06:48:50.638874 222.101.92.127 port(s) 25 - Spammer again, this time gxs00xy6hhfk3ll@yahoo.com.au
2004-11-20 07:32:49.527575 210.193.21.164 Port(s) 1433 (ms-sql-s) - Another complete connection then it gets torn down like the last but one connection
2004-11-20 07:42:03.921251 220.87.38.112 Port(s) 1023 (Sasser.e search), 8967 (Sasser Shell), 9898 (Sasser Backdoor) - Seems to be Dabber itself -Sent data trying to log on to the server on 1023 - USER x PASS x Note the time.... Same approximate time as previous capture.
2004-11-20 07:42:18.600657 i219-165-186-111.s02.a034.ap.plala.or.jp Port(s) Seems Like Dabber again
2004-11-20 07:44:18.597202 p2202-ipad02kamokounan.kagoshima.ocn.ne.jp Port(S) Dabber again
2004-11-20 08:03:42.428450 222.45.45.132 Port(s) 22 (SSH) No data captured... I wasn't listening on this port. But it was a half open scan - no response to SYN ACK
2004-11-20 08:04:13.740932 220.87.47.41 Port(s) Back to Dabber again
2004-11-20 08:18:19.791190 221.216.163.162 Port(s) Yawn... Dabber again
2004-11-20 08:40:50.802160 221.194.50.63 Port(s) 1023 (Sasser.e search) - This was a reconnasance scan - RST sent in responseto the SYN ACK
2004-11-20 08:42:28.012884 221.200.15.229 Port(s) Dabber yet again.....
2004-11-20 11:30:33.001655 209.198.162.1 Port(s) 1433 (ms-sql-s) Reconnasance scan - Made complete connection and then tore it down.
2004-11-20 11:52:19.205861 61.109.245.89 Port(s) 1433 (ms-sql-s) Reconnasance scan - Made complete connection and then tore it down as previous. (Slammer? Interesting article: http://www.cs.berkeley.edu/~nweaver/sapphire/)
2004-11-20 12:08:23.404726 211.229.26.140 Port(s) 25 Spammer again. q306779@hotmail.com
2004-11-20 13:10:16.777601 199.0.66.62 Port(s) 6129 (Dameware Remote Administration). Not listening on this port. No data captured
2004-11-20 13:27:18.368413 211.225.154.205 Port(s) 4899 (RAdmin Backdoor) Not listening, no data captured
2004-11-20 13:32:03.993344 61-231-175-57.dynamic.hinet.net Port(s) 4899 (RAdmin Backdoor), as above
2004-11-20 13:42:16.057071 221.164.191.14 Port(s) Can we say "Dabber"
2004-11-20 13:49:54.916903 doc-24-206-177-67.kw.tx.cebridge.net Port(s) 4000 (Witty Worm) - Not listening - no data captured
2004-11-20 14:23:39.751707 syr-24-59-222-187.twcny.rr.com Port(s) 4899 (RAdmin) - See above
2004-11-20 16:01:55.445512 c-66-176-129-85.se.client2.attbi.com Port(s) 1433 (ms-sql-s) Reconnaisance - responded with RST immediately after ACK - not the same as the slammer guess above
2004-11-20 16:19:26.348042 200.60.125.126 Port(s) 113 (Auth) Not listening, no data captured
2004-11-20 20:51:35.271815 co-colspgs-1-u2-b3-239.clspco.adelphia.net Port(s) 1433 (ms-sql-s) Slammer again? Complete build and tear down of connection.
2004-11-20 22:17:09.922488 221.165.115.42 Port(s) 17300 (Kuang) - Not listening, no data captured
2004-11-20 22:44:21.722237 lcmnys03.local.louiscapital.com Port(s) 3306 (MySQL) - Not listening, no data captured.
2004-11-20 23:44:59.976735 host-66-81-128-123.rev.o1.com Port(s) 901 (SWAT - HTTP interface to Samba?) - not listening, no data captured
2004-11-20 23:57:58.265570 61.109.27.23 901(SWAT - HTTP interface to Samba?) - not listening, no data captured
2004-11-21 00:54:04.992899 66-215-12-127.gln-mres.charterpipeline.net Port(s) 17300 (Kuang) - Not listening, no data captured
2004-11-21 01:36:24.091969 212.68.213.147 Port(s) 443 (SSL), 80 (HTTP). Complete connection followed by complete tear down on SSL - Reconnaisance. On HTTP GET /sumthin HTTP/1.0 - Reconnaisance
2004-11-21 01:43:50.132125 pD958AA0A.dip.t-dialin.net Port(s) 6129 (MockBot?) Not listening, no data captured
2004-11-21 02:27:23.214502 207.157.133.3 Port(s) 1257 (ShockWave) - Not Listening, no data captured
2004-11-21 03:06:36.364882 205.137.171.196 Port(s) UDP 1026 (Messenger) - Messenger Spam
2004-11-21 04:08:03.562430 210.22.194.14 Port(s) 111 (sunrpc) - Not Listening, no data captured
2004-11-21 05:54:43.988087 205.227.63.58 UDP 1026 (Messenger) - Messenger Spam
2004-11-21 05:54:44.482644 205.212.84.198 UDP 1026 (Messenger) - Messenger Spam
2004-11-21 07:41:49.434479 220.77.151.40 Port(s) (Sasser.e Search) - Logon Attempt USER x PASS x
2004-11-21 07:41:52.509311 222.101.126.107 Port(s) (Sasser.e Search) - Logon Attempt USER x PASS x
The above two then did the entire Dabber thing across every port numerous times for a whole minute followed by
2004-11-21 07:42:20.821019 218.155.242.16 doing the same thing
2004-11-21 07:42:34.281791 220.85.254.238 doing the same thing
2004-11-21 07:42:52.170097 220.77.151.40 doing the same thing It then all stops until
2004-11-21 09:21:45.535966 cable-67-97-55-122.dct.al.charter.com Port(s) 4899 (RAdmin Backdoor) Not listening, no data captured
2004-11-21 11:06:44.515771 209-77-36-46.ded.pacbell.net See Previous
2004-11-21 15:51:06.736049 205.229.81.20 UDP 1026 (Messenger) - Messenger Spam
2004-11-21 15:53:16.393767 211.53.122.69 Port(s) 4899 (RAdmin Backdoor) Not listening, no data
2004-11-21 16:02:14.774334 61.84.118.28 Port(s) 25 (SMTP) Spammer uls33333rq3333cutub@yahoo.com.au
2004-11-21 16:15:10.962715 203.230.172.23 Port(s) 4899 (RAdmin Backdoor) Not listening, no data
2004-11-21 16:29:58.358751 211.186.23.237 Port(s) 4899 (RAdmin Backdoor) Not listening, no data
004-11-21 16:53:18.076962 modemcable200.112-70-69.mc.videotron.ca Port(s) 4899 (RAdmin Backdoor) Not listening, no data
2004-11-21 19:04:13.561505 210.82.34.169 Port(s) UDP 27015 (Half Life/Counterstrike) ooops....
2004-11-21 22:54:57.572770 ACAD6F96.ipt.aol.com Port(s) 901 (SWAT - HTTP interface to Samba?) - not listening, no data captured
2004-11-22 00:11:50.982698 206.170.79.121 Port(s) 1433 (ms-sql-s) Slammer again? Complete build and tear down of connection.
2004-11-22 01:24:29.502773 61.109.245.89 Port(s) 1433 (ms-sql-s) This had a PSH ACK packet that referenced the SA of the server, (that doesn't exist), and it then properly tore down the connection.
2004-11-22 01:35:31.515419 cras75p34.navix.net Port(s) 113 (Auth) - I'm beginning to think there's a reason for this... I just can't fathom it....
2004-11-22 02:55:04.856885 218.38.56.40 Port(s) 22 (SSH) - Not listening, no data captured
2004-11-22 03:06:17.763108 205.41.32.99 Port(s) UDP 1026 (Messenger) - Messenger Spam
2004-11-22 03:08:35.407078 200.37.92.138 Port(s) 1433 (ms-sql-s) Slammer again? Complete build and tear down of connection.
2004-11-22 03:13:24.134913 ba.slovakalarms.sk Port(s) 1433 (ms-sql-s) Slammer again? Complete build and tear down of connection.
2004-11-22 03:15:40.286051 h209-139-218-162.gtcust.grouptelecom.net Slammer again? Complete build and tear down of connection.
2004-11-22 05:29:37.421715 160.79.166.210 Port(s) 443 (SSL) Connection torn down properly
2004-11-22 07:15:20.943653 208.154.199.8 ICMP Echo Request
2004-11-22 07:23:40.701505 209.12.6.242 Port(s) 1433 (ms-sql-s) Slammer again? Complete build and tear down of connection.
2004-11-22 07:41:44.313392 222.111.35.27 Can we say Dabber yet again????? NOTE THE TIME AGAIN
2004-11-22 07:41:55.698996 60-56-73-254.eonet.ne.jp Dabber.....
2004-11-22 07:42:13.689244 221.150.171.112 My early morning Dabber continues......
2004-11-22 07:42:15.725346 220.72.204.155 And it goes on.....
2004-11-22 07:42:42.203430 220.79.120.51 And on.......
1512 2004-11-22 07:46:55.549290 222.118.94.46 And on....
[/Notes]
At this point I killed the capture.... 'cos I got to work and got to the box more than anything, (curiosity).
I find it interesting that this stuff seems to come in batches.... If something starts it seems to kick off some other of the same thing too... It's like something out there kicks things off by doing something. Matbe when one Dabber starts and hits an already infected machine the machine that is hit kicks off too... I dunno, speculation....
Interestingly enough there doesn't seem to have been anything that might have compromised this box automatically at any time, (unless I can't see something obvious) in the entire period, (some 80 hours of capture). I think the "survival time" figure is a little misleading... Misleading in that there are thousands of boxes worldwide monitoring and the overall time to compromise is read across all those boxes. Yet, in reality there are millions of boxes on the net and they aren't all scanned/hit by the same sample as the thousands of monitors.
That being said, I still like the "survival time" for it's FUD value with regular users. I think it's a useful statistic in that arena. Eventually though, a separate hardware device such as a Linksys is invaluable.
I'm going to "hone my skills" with the packet capture filters and the WormRadar so that I can more accurately capture some more intersting stuff and see what I get.... I'll report back anything interesting if anyone is interested.
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote