We see a lot of requests of the following format in our proxy logs: 1105979310.010 240001 10.3.12.211 TCP_MISS/504 1458 GET http://84.120.14.236:25204/2005/1/17/11/23/32/ - NONE/- text/html 1105979314.020 240009 10.3.12.211 TCP_MISS/504 1458 GET http://67.171.84.104:25238/2005/1/17/11/23/41/ - NONE/- text/html 1105979316.077 240068 10.3.12.211 TCP_MISS/504 1460 GET http://213.188.227.50:25401/2005/1/17/11/23/43/ - NONE/- text/html The Port these clients are trying to connect to seem to be in the range between 25000 and 26000 all the time. All requests have the timestamp in the URL (/2005/1/17/11/23/43 for example). We are currently investigating together with NAI what that is. We have a bunch of internal hosts producing these requests and the numbers are rising. The load is starting to render our proxies unusable. Any hints are very welcome. Nils
Nils Ketelsen wrote:
We see a lot of requests of the following format in our proxy logs:
1105979310.010 240001 10.3.12.211 TCP_MISS/504 1458 GET http://84.120.14.236:25204/2005/1/17/11/23/32/ - NONE/- text/html 1105979314.020 240009 10.3.12.211 TCP_MISS/504 1458 GET http://67.171.84.104:25238/2005/1/17/11/23/41/ - NONE/- text/html 1105979316.077 240068 10.3.12.211 TCP_MISS/504 1460 GET http://213.188.227.50:25401/2005/1/17/11/23/43/ - NONE/- text/html
A very important question would be: do you see these URL's on ANY-HOST/permutation or SPECIFIC-HOSTS/permutation? Gadi.
On Mon, Jan 17, 2005 at 07:44:37PM +0200, Gadi Evron wrote:
Nils Ketelsen wrote:
We see a lot of requests of the following format in our proxy logs:
1105979310.010 240001 10.3.12.211 TCP_MISS/504 1458 GET http://84.120.14.236:25204/2005/1/17/11/23/32/ - NONE/- text/html 1105979314.020 240009 10.3.12.211 TCP_MISS/504 1458 GET http://67.171.84.104:25238/2005/1/17/11/23/41/ - NONE/- text/html 1105979316.077 240068 10.3.12.211 TCP_MISS/504 1460 GET http://213.188.227.50:25401/2005/1/17/11/23/43/ - NONE/- text/html
A very important question would be: do you see these URL's on ANY-HOST/permutation or SPECIFIC-HOSTS/permutation?
Good idea to look at this. According to my logs exactly 1000 IP-Addresses are tried to be accessed. After that I looked at one example host who by then had accessed 466 addresses. Waited a few seconds, chacked the one host again: 469 addresses. Nevertheless the total number of accessed addresses was still 1000 (over all hosts). So I think we might have in fact 1000 Addresses that are contacted/attacked. The complete list of contacted addresses can be found here: http://steering-group.net/~nils/ips.txt Network owners might want to check if their IP-Addresses are on the list. And if so look for increased traffic on these Addresses, in case all infected PCs (and not only the ones I happen to be seeing) really connect to the same addresses. I still have no clue what is causing this, but I am pretty clueless when it comes to Windows PCs anyway, and as you might have guessed: The PCs making these connections are windows machines. Nils
I still have no clue what is causing this, but I am pretty clueless when it comes to Windows PCs anyway, and as you might have guessed: The PCs making these connections are windows machines.
Continuing our off-list discussion for this on-list comment... Without a reboot, try to connect the outgoing connections to a process. I believe sysinternals have some tools that may help with this. Gadi.
Nevertheless the total number of accessed addresses was still 1000 (over all hosts). So I think we might have in fact 1000 Addresses that are contacted/attacked. The complete list of contacted addresses can be found here:
More to the point - how about the IP's who try to connect inbound? I suppose sharing this on-list may not be the best of ideas. Gadi.
Nils Ketelsen wrote:
I still have no clue what is causing this, but I am pretty clueless when it comes to Windows PCs anyway, and as you might have guessed: The PCs making these connections are windows machines.
http://www.lurhq.com/baba.html Thanks go to Joe Stewart from lurhq. -- Gadi Evron, Information Security Manager, Project Tehila - Israeli Government Internet Security. Ministry of Finance, Israel. gadi@tehila.gov.il gadi@CERT.gov.il Office: +972-2-5317890 Fax: +972-2-5317801 http://www.tehila.gov.il
http://www.lurhq.com/baba.html
Thanks go to Joe Stewart from lurhq.
Further, please note this is the older variant. According to Joe the B variant was released Jan/12. Gadi.
On Tue, Jan 18, 2005 at 02:48:55PM +0200, Gadi Evron wrote:
Nils Ketelsen wrote:
I still have no clue what is causing this, but I am pretty clueless when it comes to Windows PCs anyway, and as you might have guessed: The PCs making these connections are windows machines.
http://www.lurhq.com/baba.html
Thanks go to Joe Stewart from lurhq.
No, not it. Close but not exactly. I seem to be encountering a different mutation of this Virus. First, the ports it is trying to connect to are 25000-26000, second the timestamp in the URL seems to be missing in the above description. True is, that the infected file seems to be C:\csrss.exe. According to McAfee Virus Scan (with the newest pattern file) this file was infected with buchon.c. But the description does not fully match either. Anyways: Killing the process and removing c:\csrss.exe helped. McAfee knows about this Virus since last week, but decided it was not worth an update of their regular patterns. Thank you for this policy of slow updates, I will see that I get a vendor that acts in time, I guess. Nils
On Tue, 18 Jan 2005 08:58:32 -0500, Nils Ketelsen <nils.ketelsen@kuehne-nagel.com> wrote:
McAfee knows about this Virus since last week, but decided it was not worth an update of their regular patterns. Thank you for this policy of slow updates, I will see that I get a vendor that acts in time, I guess.
Might I suggest ClamAV? http://www.clamav.com ClamAV, while being open source, seems to have an incredibly fast response time to new virii. I've seen new virii caught by Clam 8-10 hours before the "big" vendors catch them. I understand the need to have a vendor supported product, but having clamav in the mix helps tremendously... And there's a windows version as well (albeit, by another developer) ... http://www.clamwin.net
Nils
-- Jason 'XenoPhage' Frisvold XenoPhage0@gmail.com
participants (4)
-
Gadi Evron -
Gadi Evron -
Jason Frisvold -
Nils Ketelsen