More oddness seen by my firewall
Rob Riley
rob.riley at oracle.com
Wed Sep 3 10:21:54 PDT 2003
Hi David,
They are scanning for systems infected with Kuang2 the virus
which installs a trojan that opens port 17300/tcp on infected
systems.
http://www.glocksoft.com/trojan_list/Kuang2_the_virus.htm
Regards,
--
Rob Riley Senior Systems Administrator, Security Engineering
Global IT, Oracle Corp. 650 506-1435 office, 650 799-1607 cell
David Wolfskill wrote:
> I noticed some odd-looking (blocked) packets intended for 17300/tcp; the
> frequency seems to have increased fairly suddenly recently.
>
> In the following, I have edited the entries to shorten them, and thus --
> I hope! -- make seeing patterns a little easier. I replaced
> "63.193.123.122" by "me"; I elided the " in via dc0" from the ends of
> each line. I also elided the rule number (20000), since that didn't
> seem to be especially relevant. My intent is not to hide the information
> from y'all, but to faciitate some cooperation within our community:
>
> bunrab(4.9-P)[18] sudo grep ':17300' /var/log/security
> Aug 27 09:40:00 janus /kernel: ipfw: Deny TCP 68.62.63.245:3840 me:17300
> Aug 27 10:32:05 janus /kernel: ipfw: Deny TCP 24.25.150.193:3841 me:17300
> Aug 27 11:38:27 janus /kernel: ipfw: Deny TCP 172.137.205.179:3682 me:17300
> Aug 27 22:33:39 janus /kernel: ipfw: Deny TCP 63.242.140.122:1119 me:17300
> Aug 28 08:12:16 janus /kernel: ipfw: Deny TCP 68.71.63.171:4475 me:17300
> Aug 28 09:19:33 janus /kernel: ipfw: Deny TCP 68.71.63.171:4487 me:17300
> Aug 28 18:52:39 janus /kernel: ipfw: Deny TCP 68.119.151.47:2060 me:17300
> Aug 29 17:16:52 janus /kernel: ipfw: Deny TCP 68.71.63.171:4283 me:17300
> Sep 1 03:35:39 janus /kernel: ipfw: Deny TCP 67.112.37.165:4571 me:17300
> Sep 1 11:55:43 janus /kernel: ipfw: Deny TCP 130.13.101.34:4150 me:17300
> Sep 2 06:06:41 janus /kernel: ipfw: Deny TCP 67.74.73.228:4153 me:17300
> Sep 2 06:06:50 janus /kernel: ipfw: Deny TCP 81.96.174.145:3545 me:17300
> Sep 2 06:07:14 janus /kernel: ipfw: Deny TCP 80.135.220.136:3300 me:17300
> Sep 2 06:07:43 janus /kernel: ipfw: Deny TCP 80.13.173.25:1316 me:17300
> Sep 2 06:55:22 janus /kernel: ipfw: Deny TCP 68.214.99.194:50216 me:17300
> Sep 2 07:21:23 janus /kernel: ipfw: Deny TCP 200.28.42.232:4206 me:17300
> Sep 2 08:32:45 janus /kernel: ipfw: Deny TCP 217.228.74.31:4519 me:17300
> Sep 2 08:33:35 janus /kernel: ipfw: Deny TCP 217.236.90.176:3499 me:17300
> Sep 2 09:15:55 janus /kernel: ipfw: Deny TCP 200.74.144.73:1897 me:17300
> Sep 2 09:45:03 janus /kernel: ipfw: Deny TCP 217.98.162.102:3924 me:17300
> Sep 2 09:57:29 janus /kernel: ipfw: Deny TCP 67.122.191.205:3611 me:17300
> Sep 2 10:13:58 janus /kernel: ipfw: Deny TCP 212.194.140.70:4037 me:17300
> Sep 2 10:32:31 janus /kernel: ipfw: Deny TCP 213.96.224.225:3301 me:17300
> Sep 2 10:49:08 janus /kernel: ipfw: Deny TCP 12.243.249.75:4552 me:17300
> Sep 2 11:51:46 janus /kernel: ipfw: Deny TCP 213.13.234.76:4306 me:17300
> Sep 2 12:02:14 janus /kernel: ipfw: Deny TCP 217.81.28.62:1724 me:17300
> Sep 2 13:19:50 janus /kernel: ipfw: Deny TCP 81.98.115.72:2302 me:17300
> Sep 2 13:24:21 janus /kernel: ipfw: Deny TCP 65.94.221.120:3093 me:17300
> Sep 2 14:29:26 janus /kernel: ipfw: Deny TCP 80.8.84.96:3572 me:17300
> Sep 2 19:30:27 janus /kernel: ipfw: Deny TCP 80.49.1.147:4452 me:17300
> Sep 3 02:11:19 janus /kernel: ipfw: Deny TCP 24.70.194.113:4928 me:17300
> bunrab(4.9-P)[19] foreach h ( `sudo grep ':17300' /var/log/security | sed -e 's/^.* TCP //' -e 's/:.*$//'` )
> foreach? host $h
> foreach? end
> 245.63.62.68.IN-ADDR.ARPA domain name pointer pcp03161516pcs.flint01.mi.comcast.net
> 193.150.25.24.IN-ADDR.ARPA domain name pointer alb-24-25-150-193.nycap.rr.com
> 179.205.137.172.IN-ADDR.ARPA domain name pointer AC89CDB3.ipt.aol.com
> 122.140.242.63.IN-ADDR.ARPA domain name pointer 122.mug140.dtrt.sflmi01r1.dsl.att.net
> 171.63.71.68.IN-ADDR.ARPA domain name pointer co-colspgs-u6-c6b-171.clspco.adelphia.net
> 171.63.71.68.IN-ADDR.ARPA domain name pointer co-colspgs-u6-c6b-171.clspco.adelphia.net
> 47.151.119.68.IN-ADDR.ARPA domain name pointer ip-wv-68-119-151-047.charterwv.net
> 171.63.71.68.IN-ADDR.ARPA domain name pointer co-colspgs-u6-c6b-171.clspco.adelphia.net
> 165.37.112.67.IN-ADDR.ARPA domain name pointer adsl-67-112-37-165.dsl.lsan03.pacbell.net
> 34.101.13.130.IN-ADDR.ARPA domain name pointer vdsl-130-13-101-34.phnx.uswest.net
> 228.73.74.67.IN-ADDR.ARPA domain name pointer dialup-67.74.73.228.Dial1.Philadelphia1.Level3.net
> 145.174.96.81.IN-ADDR.ARPA domain name pointer pc1-mfld3-6-cust145.nott.cable.ntl.com
> 136.220.135.80.IN-ADDR.ARPA domain name pointer p5087DC88.dip.t-dialin.net
> 25.173.13.80.IN-ADDR.ARPA domain name pointer APlessis-Bouchard-103-1-3-25.w80-13.abo.wanadoo.fr
> 194.99.214.68.IN-ADDR.ARPA domain name pointer adsl-214-99-194.gnv.bellsouth.net
> 232.42.28.200.IN-ADDR.ARPA domain name pointer 232-42-28.dial.terra.cl
> 31.74.228.217.IN-ADDR.ARPA domain name pointer pD9E44A1F.dip.t-dialin.net
> 176.90.236.217.IN-ADDR.ARPA domain name pointer pD9EC5AB0.dip.t-dialin.net
> Host not found.
> 102.162.98.217.IN-ADDR.ARPA domain name pointer pa102.zbaszyn.sdi.tpnet.pl
> 205.191.122.67.IN-ADDR.ARPA domain name pointer adsl-67-122-191-205.dsl.lsan03.pacbell.net
> 205.191.122.67.IN-ADDR.ARPA domain name pointer adsl-67-122-191-205.dsl.pltn13.pacbell.net
> 70.140.194.212.IN-ADDR.ARPA domain name pointer f07v-9-70.d1.club-internet.fr
> 225.224.96.213.IN-ADDR.ARPA domain name pointer 225.Red-213-96-224.pooles.rima-tde.net
> 75.249.243.12.IN-ADDR.ARPA domain name pointer 12-243-249-75.client.attbi.com
> Host not found.
> 62.28.81.217.IN-ADDR.ARPA domain name pointer pD9511C3E.dip.t-dialin.net
> 72.115.98.81.IN-ADDR.ARPA domain name pointer pc3-rdng1-3-cust72.winn.cable.ntl.com
> 120.221.94.65.IN-ADDR.ARPA domain name pointer MTL-HSE-ppp200072.qc.sympatico.ca
> 96.84.8.80.IN-ADDR.ARPA domain name pointer ca-bordeaux-12-96.w80-8.abo.wanadoo.fr
> 147.1.49.80.IN-ADDR.ARPA domain name pointer pb147.mielec.sdi.tpnet.pl
> 113.194.70.24.IN-ADDR.ARPA domain name pointer h24-70-194-113.ok.shawcable.net
> bunrab(4.9-P)[20]
>
> I'm not sure what to make of it yet... but that reminds me: I have been
> seeing a lot of HTTP requests against http://www.catwhisker.org/ that
> just get the root page, and they all look fairly similar; here's a
> (small!) excerpt:
>
> 203.232.249.65 - - [02/Sep/2003:00:04:03 -0700] "GET / HTTP/1.1" 200 1016 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
> 208.206.232.111 - - [02/Sep/2003:00:07:43 -0700] "GET / HTTP/1.1" 200 1016 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
> 64.170.193.211 - - [02/Sep/2003:00:17:40 -0700] "GET / HTTP/1.1" 200 1016 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
> 68.121.123.211 - - [02/Sep/2003:00:24:28 -0700] "GET / HTTP/1.1" 200 1016 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
> 61.121.84.33 - - [02/Sep/2003:00:25:01 -0700] "GET / HTTP/1.1" 200 1016 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
> 68.74.69.31 - - [02/Sep/2003:00:26:24 -0700] "GET / HTTP/1.1" 200 1016 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
> 62.13.174.12 - - [02/Sep/2003:00:29:11 -0700] "GET / HTTP/1.1" 200 1016 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
> 68.22.50.9 - - [02/Sep/2003:00:38:40 -0700] "GET / HTTP/1.1" 200 1016 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
>
>
> I'm fairly sure that this is from the recent worm/virus/whatever -- this
> seems to have started between 10 - 20 days ago or so.
>
> Peace,
> david
--
Rob Riley Senior Systems Administrator, Security Engineering
Global IT, Oracle Corp. 650 506-1435 work, 650 799-1607 cell
More information about the Baylisa
mailing list