December 5th, 2007, 02:17 PM
Snort reported UDP scans
Anyone seen this type of activity?:
On 11/29, an internal workstation appeared to perform UDP portscans to 27 unique external IPs. All the external addresses examined were foreign (mostly Brazil and Argentina, but also included Columbia, Germany, Indonesia, China, et. al.). It appears to have scanned the same IP list twice, with a couple of the IPs only appearing once in each scan (possibly due to dropped traffic on the sensor). Scans took place at 17:56 and again at 18:10. It's unclear if there were any returns on the scans. I could find no other appearances of the inside or outside IPs setting off any other alerts in the data that I have. Most of the IP addresses I looked at appeared to be customer addys from ISPs.
On 12/3, the system's admin was contacted, who claimed to run a full-virus scan and found nothing.
On 12/4, the same system performed the same type of scan against 11 more systems. Again, all were foreign (Mostly Brazil, a couple German, and Venezuela) -- but not a single one was a duplicate from the first scan, nor were they even within the same networks.
Because of the kludgy portscan reporting of Snort, I cannot accurately tell which ports are being targeted. The sensor's been up/down over the last month (I was out of town) so there could have been more events...
Ideas? (My favorite answer so far is a worm...but none detected by Symantec -- assuming the admin *did* do a scan... ;0)
December 5th, 2007, 02:44 PM
Are the UDP destination or source ports consistent? Assuming XP SP2 or Win2k3 and consistent ports, try netstat -nab, this will tell you all active connections/open/listening ports, and what programs have them open. In my experience, it is usually able to determine the source of the traffic; however, if there is a rootkit involved, your mileage may vary...
Is the system using a local firewall?
Is there any consistency to the times that the scans happen? Day of the week? Time of Day? Day of month?
Tried looking through a list of running processes and cross-comparing them? (alternative tools to native OS commands might help in this respect)
Just a few thoughts off the top of my head...
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
December 5th, 2007, 04:33 PM
I would say it was an Nmap -D scan (decoy) - to hide/obscure the attackers real IP address he can tell Nmap to insert spoofed IP's of the attackers choosing into the probes or have Nmap use random IP's of its choosing. This way although one of the connections will be from the attackers real IP address, most of the logs will be full of spoofed IP's.
Path tracing etc can protect against this if you want to configure it.
December 5th, 2007, 05:19 PM
Have you tried running Anti-Spyware programs (Search & Destroy, Adware...etc) on this system? I have see this type of activity when this type of 'scumware' tries to phone home.
December 5th, 2007, 06:09 PM
1. Where is this machine located?
On 11/29, an internal workstation appeared to perform UDP portscans to 27 unique external IPs.
2. Who normally uses it?
3. When did they logoff on those days?
4. Is there any scanning or non-standard software on the machine?
I am wondering if this was not an inside job? if it is a worm why haven't other machines on the network been compromised?
Can users install/uninstall software?, use thumb drives, boot from CDs etc.?
My suggestion is that if it isn't malware as nothing has been detected, and it isn't a self-deleting item, then it must be a regular application.
You might try a file recovery tool to see if anything interesting has been deleted from the machine.
December 5th, 2007, 06:29 PM
Configure snort to, besides the 'interpreted' ascii log, also log the raw ip packets. Use the 'regular' ascii log only to read it and as a guideline. Use the logged raw packets to verify what exactly went on. Otherwise you'll always be shooting in the dark.
The problem with (UDP) portscans is that they usually aren't. But to be sure you would need to know what really happened.
I'd point to the relevant snort manual section but the snort site doesn't seem to like me very much today. And I don't have snort running right now.
Experience is something you don't get until just after you need it.
December 10th, 2007, 04:06 PM
Good ideas. Admin claims no malware (although I'm skeptical). I'm thinking it must be a "legit" tool (users CAN install pretty much whatever they want in our university environment). The file recovery is an interesting idea...
I've been leaving tcpdumps up listening for that IP -- attempting to correlate any/all activity should the alert trigger again -- so far, nothing... If I ever get a good handle on this, I'll post the answer, but right now I'm not so sure.
December 10th, 2007, 04:37 PM
I just had a thought, although I don't know how that would fit in with portscans, as that is not my field.
Could it be some sort of anonymising or multiple proxy software?
Most of the IP addresses I looked at appeared to be customer addys from ISPs.
From what you say about your environment, it may well have been run from a CD or thumb drive.
Possibly a student working on a project?
Just a thought.
Last edited by nihil; December 10th, 2007 at 06:07 PM.
December 13th, 2007, 05:39 PM
Never found out what this was. But that's something I hadn't thought of, nihil. I saw something like this a few months ago where a user downloaded a streaming viewer -- malware alarms never went off -- but in the fine-print, it did talk about it utilizing your box as part of the network...
By Egaladeist in forum Security News
Last Post: October 23rd, 2005, 01:56 PM
By qod in forum The Security Tutorials Forum
Last Post: February 27th, 2004, 02:03 AM
By qod in forum The Security Tutorials Forum
Last Post: January 25th, 2004, 10:47 PM
By thehorse13 in forum The Security Tutorials Forum
Last Post: January 6th, 2004, 09:07 PM
By vescovono in forum IDS & Scanner Discussions
Last Post: April 17th, 2003, 10:50 PM