Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
syslog/logcheck:
Mar 4 09:41:51 greatwall snort: [1:0:0] Potential CodeRed/Nimda probe {TCP}
12.82.140.120:2744 -> 12.82.129.125:80
Mar 4 09:41:54 greatwall snort: [1:0:0] Potential CodeRed/Nimda probe {TCP}
+12.82.140.120:2744 -> 12.82.129.125:80
ipchains:
Mar 4 09:41:51 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
12.82.140.120:2744 12.82.129.125:80
L=44 S=0x00 I=36011 F=0x4000 T=126 SYN (#64)
Mar 4 09:41:54 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
12.82.140.120:2744 12.82.129.125:80
L=44 S=0x00 I=17581 F=0x4000 T=126 SYN (#64)
p0f:
Mon Mar 4 09:41:51 2002 12.82.140.120: UNKNOWN [8192:126:1460:1:164:0:0:44].
12.82.140.120:2744 -> 12.82.129.125:80
Mon Mar 4 09:41:54 2002 12.82.140.120: UNKNOWN [8192:126:1460:1:168:0:0:44].
12.82.140.120:2744 -> 12.82.129.125:80
full snort packet dump:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/04-09:41:51.960774 12.82.140.120:2744 -> 12.82.129.125:80
TCP TTL:126 TOS:0x0 ID:36011 IpLen:20 DgmLen:44 DF
******S* Seq: 0x3D9499 Ack: 0x0 Win: 0x2000 TcpLen: 24
TCP Options (1) => MSS: 1460
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/04-09:41:54.480985 12.82.140.120:2744 -> 12.82.129.125:80
TCP TTL:126 TOS:0x0 ID:17581 IpLen:20 DgmLen:44 DF
******S* Seq: 0x3D9499 Ack: 0x0 Win: 0x2000 TcpLen: 24
TCP Options (1) => MSS: 1460
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
host:
[root@sparky /storage/snort]# host 12.82.140.120
120.140.82.12.in-addr.arpa. domain name pointer 120.seattle-05-10rs.wa.dial-access.att.net.
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
Request: 12.82.140.120
connecting to whois.arin.net [63.146.182.182:43] ...
AT&T ITS (NET-ATT)
200 Laurel Avenue South
Middletown, NJ 07748
US
Netname: ATT
Netblock: 12.0.0.0 - 12.255.255.255
Maintainer: ATTW
Coordinator:
Kostick, Deirdre (DK71-ARIN) help@IP.ATT.NET
(888)613-6330
Domain System inverse mapping provided by:
DBRU.BR.NS.ELS-GMS.ATT.NET199.191.128.106
DMTU.MT.NS.ELS-GMS.ATT.NET12.127.16.70
CBRU.BR.NS.ELS-GMS.ATT.NET199.191.128.105
CMTU.MT.NS.ELS-GMS.ATT.NET12.127.16.69
syslog/logcheck:
Mar 4 09:47:31 greatwall snort: [1:0:0] TCP to 111 sunrpc {TCP}
65.104.251.67:1525 -> 12.82.129.125:111
snort:
Mar 4 09:47:31 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
65.104.251.67:1525 12.82.129.125:111
L=60 S=0x00 I=32007 F=0x4000 T=52 SYN (#64)
p0f:
Mon Mar 4 09:47:31 2002 65.104.251.67 [13 hops]: Linux 2.2.9 - 2.2.18
65.104.251.67:1525 -> 12.82.129.125:111 (timestamp: 52483290 @1015264051)
full snort packet dump:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/04-09:47:31.844810 65.104.251.67:1525 -> 12.82.129.125:111
TCP TTL:52 TOS:0x0 ID:32007 IpLen:20 DgmLen:60 DF
******S* Seq: 0x28BB1936 Ack: 0x0 Win: 0x7D78 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 52483290 0 NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
XO Communications (NET-XOXO-BLK-15)
1400 Parkmoor Avenue
San Jose, CA 95126-3429
US
Netname: XOXO-BLK-15
Netblock: 65.104.0.0 - 65.107.255.255
Maintainer: XOXO
Coordinator:
DNS and IP ADMIN (DIA-ORG-ARIN) hostmaster@CONCENTRIC.NET
(408) 817-2800
Fax- - - (408) 817-2630
Domain System inverse mapping provided by:
NAMESERVER1.CONCENTRIC.NET207.155.183.73
NAMESERVER2.CONCENTRIC.NET207.155.184.72
NAMESERVER3.CONCENTRIC.NET206.173.119.72
NAMESERVER.CONCENTRIC.NET207.155.183.72
http to 65.104.251.67:
"It Worked!
If you can see this, it means that the installation of the
Apache software on this Red Hat Linux system was successful.
You may now add content to this directory and replace this page."
Yeah: it worked, you installed Linux and Apache and left it wide open, and now your box has been cracked and is being used to attack other people..
Idiot.
syslog/logcheck:
Mar 4 09:53:41 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP}
216.46.199.45:1348 ->+12.82.129.125:137
ipchains:
Mar 4 09:53:41 greatwall kernel: Packet log: input DENY ppp0 PROTO=17
216.46.199.45:1348 12.82.129.125:137
L=78 S=0x00 I=34408 F=0x0000 T=53 (#27)
no P0f: udp :-)
more host_216.46.199.45-0304@0630.log
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/04-09:53:41.111823 216.46.199.45:1348 -> 12.82.129.125:137
UDP TTL:53 TOS:0x0 ID:34408 IpLen:20 DgmLen:78
Len: 58
00 99 00 10 00 01 00 00 00 00 00 00 20 43 4B 41 ............ CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 AAAAAAAAAAAAA..!
00 01 ..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/04-09:55:07.000946 12.82.129.125:1025 -> 216.46.199.45:53
UDP TTL:64 TOS:0x0 ID:43235 IpLen:20 DgmLen:81
Len: 61
0B 76 00 00 00 01 00 00 00 00 00 00 02 34 35 03 .v...........45.
31 39 39 02 34 36 03 32 31 36 07 69 6E 2D 61 64 199.46.216.in-ad
64 72 09 67 6E 65 74 77 6F 72 6B 73 03 63 6F 6D dr.gnetworks.com
00 00 0C 00 01 .....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/04-09:55:07.230496 216.46.199.45:53 -> 12.82.129.125:1025
UDP TTL:53 TOS:0x0 ID:38460 IpLen:20 DgmLen:125
Len: 105
0B 76 84 83 00 01 00 00 00 01 00 00 02 34 35 03 .v...........45.
31 39 39 02 34 36 03 32 31 36 07 69 6E 2D 61 64 199.46.216.in-ad
64 72 09 67 6E 65 74 77 6F 72 6B 73 03 63 6F 6D dr.gnetworks.com
00 00 0C 00 01 C0 22 00 06 00 01 00 01 51 80 00 ......"......Q..
20 C0 22 07 68 6F 73 74 69 6E 67 C0 22 77 45 EE .".hosting."wE.
BF 00 00 70 80 00 00 1C 20 00 09 3A 80 00 01 51 ...p.... ..:...Q
80 .
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/04-12:59:57.566062 12.82.129.125:1025 -> 216.46.199.45:53
UDP TTL:64 TOS:0x0 ID:48176 IpLen:20 DgmLen:81
Len: 61
CE 1C 00 00 00 01 00 00 00 00 00 00 02 34 35 03 .............45.
31 39 39 02 34 36 03 32 31 36 07 69 6E 2D 61 64 199.46.216.in-ad
64 72 09 67 6E 65 74 77 6F 72 6B 73 03 63 6F 6D dr.gnetworks.com
00 00 0C 00 01 .....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/04-12:59:57.794388 216.46.199.45:53 -> 12.82.129.125:1025
UDP TTL:53 TOS:0x0 ID:64888 IpLen:20 DgmLen:125
Len: 105
CE 1C 84 83 00 01 00 00 00 01 00 00 02 34 35 03 .............45.
31 39 39 02 34 36 03 32 31 36 07 69 6E 2D 61 64 199.46.216.in-ad
64 72 09 67 6E 65 74 77 6F 72 6B 73 03 63 6F 6D dr.gnetworks.com
00 00 0C 00 01 C0 22 00 06 00 01 00 01 51 80 00 ......"......Q..
20 C0 22 07 68 6F 73 74 69 6E 67 C0 22 77 45 EE .".hosting."wE.
BF 00 00 70 80 00 00 1C 20 00 09 3A 80 00 01 51 ...p.... ..:...Q
80 .
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[toot@sparky /storage/snort]# dig @greatwall any gnetworks.com
; <<>> DiG 9.1.0 <<>> @greatwall any gnetworks.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29898
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;gnetworks.com. IN ANY
;; ANSWER SECTION:
gnetworks.com. 129645 IN NS NS1.gnetworks.com.
gnetworks.com. 129645 IN NS NS2.gnetworks.com.
gnetworks.com. 50073 IN SOA gnetworks.com.
hosting.gnetworks.com. 2001071807 28800 7200 604800 86400
;; AUTHORITY SECTION:
gnetworks.com. 129645 IN NS NS1.gnetworks.com.
gnetworks.com. 129645 IN NS NS2.gnetworks.com.
;; ADDITIONAL SECTION:
NS1.gnetworks.com. 136469 IN A 216.46.199.45
NS2.gnetworks.com. 136469 IN A 216.46.199.46
;; Query time: 34 msec
;; SERVER: 192.168.1.2#53(greatwall)
;; WHEN: Mon Mar 4 20:00:35 2002
;; MSG SIZE rcvd: 171
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
Pathway Computing, Inc (NETBLK-PATHWAY-BLK)
825 BOND AVE NW STE 211D
GRAND RAPIDS, MI 49503
US
Netname: PATHWAY-BLK
Netblock: 216.46.192.0 - 216.46.207.255
Maintainer: PWCI
Coordinator:
PathWay Computing, Inc. (PC-ORG-ARIN) hostmaster@pathwaynet.com
+1 616 774-3131
Domain System inverse mapping provided by:
NS1.PATHWAYNET.COM216.46.200.172
NS2.PATHWAYNET.COM216.46.200.173