FW: SANS FLASH: New Trojan Sending Data To Russia
Michael DeVicariis
webtemp at ucsd-pps.ucsd.edu
Mon Jul 31 11:46:49 CDT 2000
~sdpm~
This might be of interest to those of you who are network/web server
administrators.
Michael DeVicariis
Web Administrator/Developer
Programmer/Analyst
UCSD Auxiliary & Plant Services
(858) 534-0700
-----Original Message-----
From: The SANS Institute [mailto:sans at sans.org]
Sent: Friday, July 28, 2000 5:55 PM
To: Michael DeVicariis
Subject: SANS FLASH: New Trojan Sending Data To Russia
SANS Flash Report: Trojans Sending More Data To Russia
July 28, 2000, 6:20 pm, EDT
This is preliminary information. The GIAC (Global Incident
Analysis Center) has received several submissions showing large
amounts of data being sent, illegitimately, from Windows 98
machines to a Russian IP address (194.87.6.X). The cause is most
probably a Trojan, but whatever it is, it is moving fast.
What you should do?
1. All sites should block network traffic from or to 194.87.6.X
2. If you see outgoing traffic from one of your machines to that
address, you should pull it from the network until anti-virus
signatures are available.
This activity has been going on for a few days, but the
correlations are just coming in. If you have information to
share, please send it to intrusion at sans.org.
The remainder of this message is fairly technical and meant to
help system administrators and firewall administrators protect
their systems.
Thank you!
Stephen Northcutt, Director Global Incident Analysis Center
The SANS Institute
> From SANS GIAC Report 00/07/28
>(dhoelzer)
> This one came in at about 20:16 on July 26. The 194.87.6.201
machine interestingly enough, resolves back to .ru. There is
no other traffic to or from this network (194.87.6.X) for the
last two months of live data that I have online. It's hard to
make a guess on this one. Perhaps the machine that recorded
this is on a proxy list somewhere, but then, this machine is a
brand new honeypot on an IP address that hasn't been populated
for at least 7 years, and has never been used as a proxy server.
If this is just a random stab, it's interesting that there is
no record of any network mapping from this network/host.
Perhaps there was some coordinated mapping here, or perhaps
there is someone out there who has mapped us already who was
willing to share (or moved to a new network).
>
> bash# cat 8080
> Initializing server socket...Binding to port 8080...Done.
> Starting listener...Listening.
> Connection from: 194.87.6.201
> 0| 47 45 54 20 68 74 74 70 3a 2f 2f 77 77 77 2e 63
> 16| 6f 6d 6d 69 73 73 69 6f 6e 2d 6a 75 6e 63 74 69
> 32| 6f 6e 2e 63 6f 6d 2f 20 48 54 54 50 2f 31 2e 31
> 48| 0d 0a 48 6f 73 74 3a 20 77 77 77 2e 63 6f 6d 6d
> 64| 69 73 73 69 6f 6e 2d 6a 75 6e 63 74 69 6f 6e 2e
> 80| 63 6f 6d 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a
> 96| 0d 0a 50 72 61 67 6d 61 3a 20 6e 6f 2d 63 61 63
> 112| 68 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20
> +-------------------------------------------------
> 0| G E T h t t p : / / w w w . c
> 16| o m m i s s i o n - j u n c t i
> 32| o n . c o m / H T T P / 1 . 1
> 48| . . H o s t : w w w . c o m m
> 64| i s s i o n - j u n c t i o n .
> 80| c o m . . A c c e p t : * / *
> 96| . . P r a g m a : n o - c a c
> 112| h e . . U s e r - A g e n t :
> 128| M o z i l l a / 4 . 0 ( c o m
> 144| p a t i b l e ; M S I E 4 .
> 160| 0 1 ; W i n d o w s 9 8 ) .
> 176| . . .
> +-------------------------------------------------
> 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
> Connection Terminated
> bash# nslookup 194.87.6.201
> Server: midgaard.smsc.com
> Address: 170.129.53.52
> Name: 201.6.87.194.dynamic.dol.ru
> Address: 194.87.6.201
+++
Correlation to Laurie's post to GIAC Report 00/07/28,
(http://www.sans.org/y2k/072800.htm):
> (Laurie at .edu)
>
> =-=-=-=-=-=-=-=-=-=-=
>
> 194.87.6.201 == 201.6.87.194.dynamic.dol.ru
>
> RU-DEMOS-940901
>
> Included this because of the Russian source address.
>
> Jul 26 22:26:23 hostka snort[20224]: MISC-WinGate-8080-
Attempt:
> 194.87.6.201:3344 -> a.b.c.32:8080
http and Wingate connection attempts from the same
`dynamic.dol.ru'
domain:
Name: 27.6.87.194.dynamic.dol.ru
Address: 194.87.6.27
Jul 27 19:30:08 foo /kernel: Connection attempt to TCP a.b.c.8:80
from 194.87.6.27:4156
Name: 147.6.87.194.dynamic.dol.ru
Address: 194.87.6.147
[**] WinGate 8080 Attempt [**]
07/24-23:04:39.418351 194.87.6.147:3185 -> a.b.c.8:8080
TCP TTL:120 TOS:0x0 ID:12966 DF
**S***** Seq: 0x540140 Ack: 0x0 Win: 0x2000
TCP Options => MSS: 536 NOP NOP SackOK
[**] WinGate 8080 Attempt [**]
07/24-23:04:40.502718 194.87.6.147:3185 -> a.b.c.8:8080
TCP TTL:120 TOS:0x0 ID:17318 DF
**S***** Seq: 0x540140 Ack: 0x0 Win: 0x2000
TCP Options => MSS: 536 NOP NOP SackOK
[**] WinGate 8080 Attempt [**]
07/24-23:04:41.521379 194.87.6.147:3185 -> a.b.c.8:8080
TCP TTL:120 TOS:0x0 ID:27302 DF
**S***** Seq: 0x540140 Ack: 0x0 Win: 0x2000
TCP Options => MSS: 536 NOP NOP SackOK
The system trace below was found by a conseal firewall:
2000/07/27 9:15:19 PM GMT -0400: NDC 10/100 Fast E..[0001][No
matching rule] Blocking outgoing TCP: src=24.114.my.ip,
dst=194.87.6.27, sport=8080, dport=2418.
2000/07/27 9:15:22 PM GMT -0400: NDC 10/100 Fast E..[0001][Ref#
181] Blocking incoming connection attempt: src=194.87.6.27, local
port 8080.
~sdpm~
The posting address is: san-diego-pm-list at hfb.pm.org
List requests should be sent to: majordomo at hfb.pm.org
If you ever want to remove yourself from this mailing list,
you can send mail to <majordomo at happyfunball.pm.org> with the following
command in the body of your email message:
unsubscribe san-diego-pm-list
If you ever need to get in contact with the owner of the list,
(if you have trouble unsubscribing, or have questions about the
list itself) send email to <owner-san-diego-pm-list at happyfunball.pm.org> .
This is the general rule for most mailing lists when you need
to contact a human.
More information about the San-Diego-pm
mailing list