One possibility is that half-life servers are inherently directory services. The list of connected players could be used to encode directory data for the worm to attack. Owen --On Friday, August 22, 2003 8:50 PM -0400 Matt Martini <martini@invision.net> wrote:
I've scanned my Netflow logs for activity associated with the 20 machines that SoBig was targeting and I found some very curious activity.
I routed traffic to these 20 ips to Null0.
At 3:09 I started getting traffic from 10 of the 20 machines to a Halflife server on my network. This continued until 6:14pm.
The conversations could not be productive because of my Null route, but what were these machines trying to do? Even more interesting is the fact that these machines were supposed to be shutdown before 3:00. How could they be sending data to this halflife server? I suspect that the addresses are spoofed, but to what end?
Are there any halflife vunerabilies that the virus writers are using? It just seems like too much of a coincidence that 10 out of 20 machines were hitting this server.
I have the original Netflow data and the complete logs. Below is a sample of what I was seeing. Port 27015 is the normal Halflife port.
Anyone have any ideas? or seeing anything similar?
Read: Date,Time,SrcIP,SrcPort,DstIP,DstPort,Protocol,Packets,Bytes
2003/08/22 15:09:54 67.73.21.6.50416 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:00 12.232.104.221.64550 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:03 61.38.187.59.43445 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:07 67.9.241.67.17414 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:09 63.250.82.87.2956 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:12 24.197.143.132.18637 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:23 61.38.187.59.64072 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:31 67.73.21.6.27900 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:39 65.177.240.194.1448 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:46 63.250.82.87.33876 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:11:16 65.177.240.194.40713 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:11:18 61.38.187.59.58060 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:11:25 24.197.143.132.4336 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:11:40 67.9.241.67.6812 -> XXX.XXX.XXX.XXX.27015 17 1 37 [...] 2003/08/22 18:13:27 65.95.193.138.11565 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:31 12.232.104.221.32662 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:35 61.38.187.59.28106 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:37 24.33.66.38.19736 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:38 67.9.241.67.51452 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:46 65.95.193.138.46930 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:53 61.38.187.59.16641 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:59 63.250.82.87.56358 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:14:09 12.232.104.221.19923 -> XXX.XXX.XXX.XXX.27015 17 1 37
Total = 1751 flows from 15:09:54 to 18:14:09
Servers hitting the Halflife machine ------------------------------------ 12.232.104.221 24.33.66.38 24.197.143.132 24.202.91.43 61.38.187.59 63.250.82.87 65.95.193.138 65.177.240.194 67.9.241.67 67.73.21.6
__________________________ http://www.invision.net/ _______________________
Matthew E. Martini, PE InVision.com, Inc. (631) 543-1000 x104 Chief Technology Officer matt@invision.net (631) 864-8896 Fax _______________________________________________________________________pg p_