Hosting Provided By

RE: Help - a possible bot

From: Dan Perez <danperez(at)san.rr.com>
Date: Sat Nov 16 2002 - 03:33:48 EST

You may want to try the recently released PortExplorer from

http://www.diamondcs.com.au/portexplorer/

You will likely need to get the registered version to be of any help in your predicament but you can get an idea of what it can do from the demo version.

An alternative would be the SysInternals utilities of TCPmon, Filemon, and Regmon but with PortExplorer you can set it to "spy" on any socket and data being sent and received. It separates the header info from the payload, however, so if you need more Header info than the parsed details it provides you would need to resort to winpcap and windump or snort.

Regards,

Dan Perez

-----Original Message-----
From: Moshe Aelion [mailto:ma0934@hotmail.com] Sent: Friday, November 15, 2002 12:11 PM To: incidents @ security focus
Subject: Help - a possible bot

Hi everybody

Do you need help?

Two weeks ago, the NAT/ICMP computer on our LAN got compromised; the hacked installed DameWare and was trying to work on the computer. It was discovered within about 10 minutes. I then installed ZoneAlarm Pro.

The problem is, I am detecting a suspicious hit/respond activity, which, in my opinion, points to an active bot. Here's the evidence: when inspecting ZA logs, you can see a blocked scan (coming every couple of minutes, from arbitrary addresses - I bet they're spoofed - and soon after, the computer responds with a (blocked) attempt to communicated with that address. This points to an active bot (in my opinion), since, although ZA claims it blocked the incoming attempt, the computer immediately tries to respond - therefore SOMETHING inside did get a message.

I did a lot of port blocking, foundation fport tracking, netstat -an, and couldn't find anything extraordinary. I installed PestPatrol and Trojan Remover, they discovered nothing. (Except fport which I used). The "HKEY_localmachine_software...Microsoft\...currentversion\run" registry key doesn't show anything suspicious.

I do notice, though, that svchost is unusually active - doing about 25k read/write I/O per second, with nothing running. I did a lot of port blocking and couldn't stop the hit/response phenomenon. I also stopped several processes and services and the phenomenon didn't stop.

I'm attaching here the ZA log. The incoming attempt and the response are denoted with "<--".

I'm also attaching the netstat -an and fport scan outputs.

Thanking any assistance in advance

Moshe

ZA log ======================= 1 FWIN, 21:55:54, 66.139.182.144:1065, my.net.237.99:137,UDP <-- 2 FWOUT, 21:55:56, my.net.237.99:1025, 66.139.182.144:137,UDP <-- 3 FWIN, 21:58:18, 213.9.242.122:1029, my.net.237.99:137,UDP <-- 4 FWOUT, 21:58:18, my.net.237.99:1025, 213.9.242.122:137,UDP <-- 5 FWIN, 21:59:54, 192.168.0.5: 138, 192.168.0.255:138,UDP 6 FWIN, 22:00:38, 212.179.237.86:1026, my.net.237.99:137,UDP 7 FWIN, 22:00:38, 212.179.209.67: 0, my.net.237.99:0,ICMP
(type:8/subtype:0)
8 ACCESS,22:01:52,RuLaunch blocked from connecting to Internet
(216.49.88.100:HTTP)
9 FWIN, 22:02:04, 64.231.129.73:1030, my.net.237.99:137,UDP 10 FWIN, 22:02:44, 61.228.26.161:1027, my.net.237.99:137,UDP 11 FWIN, 22:02:56, 62.94.131.238:3375, my.net.237.99:6588,TCP (flags:S) 12 FWIN, 22:07:34, 200.76.64.2:62695, my.net.237.99:137,UDP <-- 13 FWOUT, 22:07:40, my.net.237.99:1025, 200.76.64.2:137,UDP <-- 14 ACCESS,22:07:52,RuLaunch blocked from connecting to Internet
(216.49.88.100:HTTP)
15 FWIN, 22:09:02, 200.67.76.211:1026, my.net.237.99:137,UDP 16 FWIN, 22:10:40,140.186.157.226:6522, my.net.237.99:137,UDP <-- 17 FWOUT, 22:10:40, my.net.237.99:1025, 140.186.157.226:137,UDP <-- 18 FWIN, 22:10:58, 12.22.205.3:10647, my.net.237.99:137,UDP <-- 19 FWOUT, 22:10:58, my.net.237.99:1025, 12.22.205.3:137,UDP <-- 20 FWIN, 22:11:46, 68.67.228.47:1132, my.net.237.99:137,UDP 21 ACCESS,22:11:54,RuLaunch blocked from connecting to Internet
(216.49.88.100:HTTP)
22 FWIN, 22:12:14, 200.75.14.169:1025, my.net.237.99:137,UDP <-- 23 FWOUT, 22:12:16, my.net.237.99:1025, 200.75.14.169:137,UDP <-- 24 FWIN, 22:12:20, 80.235.53.242:30150, my.net.237.99:137,UDP 25 FWIN, 22:13:44, 200.56.237.243:1026, my.net.237.99:137,UDP 26 FWIN, 22:13:52, 64.110.231.28:1025, my.net.237.99:137,UDP 27 ACCESS,22:13:54,RuLaunch blocked from connecting to Internet
(216.49.88.100:HTTP)
28 FWIN, 22:15:40, 200.63.158.210:1025, my.net.237.99:137,UDP 29 FWIN, 22:17:10, 203.99.155.122:1027, my.net.237.99:137,UDP 30 FWIN, 22:19:16, 166.114.241.42:1037, my.net.237.99:137,UDP <-- 31 FWOUT, 22:19:16, my.net.237.99:1025, 166.114.241.42:137,UDP <-- 32 FWIN, 22:21:28, 161.132.196.30:1027, my.net.237.99:137,UDP 33 ACCESS,22:21:54,RuLaunch blocked from connecting to Internet
(216.49.88.100:HTTP)
34 FWIN, 22:22:04, 209.86.1.157:1029, my.net.237.99:137,UDP ========================= end of ZA log ==================================

Do you need more help?

Note: the 10.0.0.1:3028 to 10.0.0.138:1723 link is the ADSL pptp.

"netstat -an" output==============================

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1723           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3006           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3028           0.0.0.0:0              LISTENING
  TCP    10.0.0.1:3028          10.0.0.138:1723        ESTABLISHED
  TCP    10.0.0.1:7732          0.0.0.0:0              LISTENING
  TCP    192.168.0.1:139        0.0.0.0:0              LISTENING
  TCP    192.168.0.1:3002       0.0.0.0:0              LISTENING
  TCP    192.168.0.1:3003       0.0.0.0:0              LISTENING
  TCP    192.168.0.1:3004       0.0.0.0:0              LISTENING
  TCP    192.168.0.1:14810      0.0.0.0:0              LISTENING
  TCP    my.net.217.125:13145  0.0.0.0:0              LISTENING
  UDP    0.0.0.0:135            *:*
  UDP    0.0.0.0:445            *:*
  UDP    0.0.0.0:1027           *:*
  UDP    0.0.0.0:3001           *:*
  UDP    0.0.0.0:3239           *:*
  UDP    0.0.0.0:3240           *:*
  UDP    10.0.0.1:500           *:*
  UDP    10.0.0.1:6979          *:*
  UDP    192.168.0.1:53         *:*
  UDP    192.168.0.1:67         *:*
  UDP    192.168.0.1:68         *:*
  UDP    192.168.0.1:137        *:*
  UDP    192.168.0.1:138        *:*
  UDP    192.168.0.1:500        *:*
  UDP    192.168.0.1:10900      *:*
  UDP    192.168.0.1:17985      *:*
  UDP    192.168.0.1:17987      *:*

UDP my.net.217.125:500 *:*
UDP my.net.217.125:9504 *:*

=========================  end of "netstat -an" output
=========================

=========================  "fport /p" output
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
==========================

Pid   Process            Port  Proto Path
400   svchost        ->  135   TCP   C:\WINNT\system32\svchost.exe
8     System         ->  139   TCP
8     System         ->  445   TCP
516   MSTask         ->  1025  TCP   C:\WINNT\system32\MSTask.exe
8     System         ->  1026  TCP
8     System         ->  1723  TCP
612   vsmon          ->  3002  TCP   C:\WINNT\system32\ZoneLabs\vsmon.exe
472   svchost        ->  3006  TCP   C:\WINNT\System32\svchost.exe
8     System         ->  3657  TCP
8     System         ->  4629  TCP
8     System         ->  4775  TCP

400   svchost        ->  135   UDP   C:\WINNT\system32\svchost.exe
8     System         ->  137   UDP
8     System         ->  138   UDP
8     System         ->  445   UDP
228   lsass          ->  500   UDP   C:\WINNT\system32\lsass.exe
216   services       ->  1027  UDP   C:\WINNT\system32\services.exe
472   svchost        ->  3001  UDP   C:\WINNT\System32\svchost.exe
1276  RuLaunch       ->  3167  UDP   C:\Program Files\McAfee\McAfee Shared
Components\Instant Updater\RuLaunch.exe
612   vsmon          ->  17985 UDP   C:\WINNT\system32\ZoneLabs\vsmon.exe
612   vsmon          ->  17987 UDP   C:\WINNT\system32\ZoneLabs\vsmon.exe

=========================  end of "fport /p" output
==========================





----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Nov 18 02:33:41 2002

This message: [ Message body ]
Next message: Nick FitzGerald: "Re: Help - a possible bot"
Previous message: Jon Nelson: "Re: Help - a possible bot"
In reply to Moshe Aelion: "Help - a possible bot"
Next in thread: Nick FitzGerald: "Re: Help - a possible bot"
Reply: Nick FitzGerald: "Re: Help - a possible bot"
Reply: Emeric Miszti: "Re: Help - a possible bot"
Reply: Moshe Aelion: "Re: Help - a possible bot"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:51 EDT