[iwar] News


From: Fred Cohen
From: fc@all.net
To: iwar@egroups.com

Sat, 29 Jul 2000 06:59:06 -0700 (PDT)


fc  Sat Jul 29 07:00:16 2000
Received: from 207.222.214.225
	by localhost with POP3 (fetchmail-5.1.0)
	for fc@localhost (single-drop); Sat, 29 Jul 2000 07:00:16 -0700 (PDT)
Received: by multi33.netcomi.com for fc
 (with Netcom Interactive pop3d (v1.21.1 1998/05/07) Sat Jul 29 14:00:09 2000)
X-From_: sentto-279987-467-964879149-fc=all.net@returns.onelist.com  Sat Jul 29 08:59:34 2000
Received: from ml.egroups.com (ml.egroups.com [208.50.144.77]) by multi33.netcomi.com (8.8.5/8.7.4) with SMTP id IAA26987 for ; Sat, 29 Jul 2000 08:59:34 -0500
X-eGroups-Return: sentto-279987-467-964879149-fc=all.net@returns.onelist.com
Received: from [10.1.10.35] by ml.egroups.com with NNFMP; 29 Jul 2000 13:59:10 -0000
Received: (qmail 31523 invoked from network); 29 Jul 2000 13:59:08 -0000
Received: from unknown (10.1.10.26) by m1.onelist.org with QMQP; 29 Jul 2000 13:59:08 -0000
Received: from unknown (HELO all.net) (24.1.84.100) by mta1 with SMTP; 29 Jul 2000 13:59:07 -0000
Received: (from fc@localhost) by all.net (8.9.3/8.7.3) id GAA01432 for iwar@onelist.com; Sat, 29 Jul 2000 06:59:06 -0700
Message-Id: <200007291359.GAA01432@all.net>
To: iwar@egroups.com
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen 
MIME-Version: 1.0
Mailing-List: list iwar@egroups.com; contact iwar-owner@egroups.com
Delivered-To: mailing list iwar@egroups.com
Precedence: bulk
List-Unsubscribe: 
Date: Sat, 29 Jul 2000 06:59:06 -0700 (PDT)
Reply-To: iwar@egroups.com
Subject: [iwar] News
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Subject: SANS FLASH report (Trojans Sending More Data To Russia)

This notice (in part) forwarded with permission. Check the Sans 
website at URL  for more information.

SANS Flash Report: Trojans Sending More Data To Russia
July 28, 2000, 6:20 pm, EDT

This is preliminary information.  The GIAC (Global Incident
Analysis Center) has received several submissions showing large
amounts of data being sent, illegitimately, from Windows 98
machines to a Russian IP address (194.87.6.X).  The cause is most
probably a Trojan, but whatever it is, it is moving fast.

What you should do?

1. All sites should block network traffic from or to 194.87.6.X
2. If you see outgoing traffic from one of your machines to that
address, you should pull it from the network until anti-virus
signatures are available.

This activity has been going on for a few days, but the
correlations are just coming in.  If you have information to
share, please send it to intrusion@sans.org.

The remainder of this message is fairly technical and meant to
help system administrators and firewall administrators protect
their systems.

Thank you!

Stephen Northcutt, Director Global Incident Analysis Center
The SANS Institute

>  From SANS GIAC Report 00/07/28
>(dhoelzer)
>     This one came in at about 20:16 on July 26. The 194.87.6.201
machine interestingly enough, resolves back to .ru. There is
no other traffic to or from this network (194.87.6.X) for the
last two months of live data that I have online. It's hard to
make a guess on this one. Perhaps the machine that recorded
this is on a proxy list somewhere, but then, this machine is a
brand new honeypot on an IP address that hasn't been populated
for at least 7 years, and has never been used as a proxy server.
If this is just a random stab, it's interesting that there is
no record of any network mapping from this network/host.
Perhaps there was some coordinated mapping here, or perhaps
there is someone out there who has mapped us already who was
willing to share (or moved to a new network).

>     bash# cat 8080
>     Initializing server socket...Binding to port 8080...Done.
>     Starting listener...Listening.
>     Connection from: 194.87.6.201
>         0| 47 45 54 20 68 74 74 70 3a 2f 2f 77 77 77 2e 63
>        16| 6f 6d 6d 69 73 73 69 6f 6e 2d 6a 75 6e 63 74 69
>        32| 6f 6e 2e 63 6f 6d 2f 20 48 54 54 50 2f 31 2e 31
>        48| 0d 0a 48 6f 73 74 3a 20 77 77 77 2e 63 6f 6d 6d
>        64| 69 73 73 69 6f 6e 2d 6a 75 6e 63 74 69 6f 6e 2e
>        80| 63 6f 6d 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a
>        96| 0d 0a 50 72 61 67 6d 61 3a 20 6e 6f 2d 63 61 63
>       112| 68 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20
>          +-------------------------------------------------
>         0|  G  E  T     h  t  t  p  :  /  /  w  w  w  .  c
>        16|  o  m  m  i  s  s  i  o  n  -  j  u  n  c  t  i
>        32|  o  n  .  c  o  m  /     H  T  T  P  /  1  .  1
>        48|  .  .  H  o  s  t  :     w  w  w  .  c  o  m  m
>        64|  i  s  s  i  o  n  -  j  u  n  c  t  i  o  n  .
>        80|  c  o  m  .  .  A  c  c  e  p  t  :     *  /  *
>        96|  .  .  P  r  a  g  m  a  :     n  o  -  c  a  c
>       112|  h  e  .  .  U  s  e  r  -  A  g  e  n  t  :
>       128|  M  o  z  i  l  l  a  /  4  .  0     (  c  o  m
>       144|  p  a  t  i  b  l  e  ;     M  S  I  E     4  .
>       160|  0  1  ;     W  i  n  d  o  w  s     9  8  )  .
>       176|  .  .  .
>          +-------------------------------------------------
>             0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15
>     Connection Terminated
>     bash# nslookup 194.87.6.201
>     Server:  midgaard.smsc.com
>     Address:  170.129.53.52
>     Name:    201.6.87.194.dynamic.dol.ru
>     Address:  194.87.6.201

+++
Correlation to Laurie's post to GIAC Report 00/07/28,
(http://www.sans.org/y2k/072800.htm):

and more...

---------------------------------------------------------------------

------------------
http://all.net/