Brute Force Warning

T

The Donut

2[H]4U
Joined
Jan 28, 2003
Messages
3,121
Hey,

We just got a warning from our hosting provider stating that we're going to get shut down for breaking their AUP/TOS for having unlawful software that's brute forcing other IPs and they gave us a snippet log..

We have thousands of entries like these:

[root@server19 floods]# grep -A 20 109.123.74.144 20111031_0957_80.96.216.110 |less
0x0110: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0120: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0130: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
--
2011-10-31 09:57:42.246866 IP 109.123.74.144 > 80.96.216.110: udp
0x0000: 4500 05dc 0f63 2d02 3511 62d2 6d7b 4a90 E....c-.5.b.m{J.
0x0010: 5060 d86e 4141 4141 4141 4141 4141 4141 P`.nAAAAAAAAAAAA
0x0020: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0030: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0040: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0050: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0060: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0070: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0080: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0090: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00a0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00b0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00c0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00d0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00e0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00f0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0100: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0110: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0120: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0130: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
--
2011-10-31 09:57:42.255891 IP 109.123.74.144 > 80.96.216.110: udp
0x0000: 4500 05dc 0f6c 3a04 3511 55c7 6d7b 4a90 E....l:.5.U.m{J.
0x0010: 5060 d86e 4141 4141 4141 4141 4141 4141 P`.nAAAAAAAAAAAA
0x0020: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0030: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0040: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0050: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0060: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0070: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0080: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0090: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00a0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00b0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00c0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00d0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00e0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
Click to expand...

Any ideas what this even means or what I should look for?
 
This is coming from a server?? Get anti virus checked on all systems, and begin network wide scanning. It may be a bot, or a person in your network.

Next I would start finding out who or what accounts have remote access.
 
Looks like this is originating from a ton of services...

tcp 0 1 109.123.74.144:40831 89.184.165.21:6667 SYN_SENT 12331/syslogd
tcp 0 1 109.123.74.144:40858 89.184.165.21:6667 SYN_SENT 12328/httpd -DSSL
tcp 0 1 109.123.74.144:40856 89.184.165.21:6667 SYN_SENT 12319/acpid
tcp 0 1 109.123.74.144:40863 89.184.165.21:6667 SYN_SENT 11132/[bash]
tcp 0 1 109.123.74.144:40846 89.184.165.21:6667 SYN_SENT 11137/syslogd
tcp 0 1 109.123.74.144:40870 89.184.165.21:6667 SYN_SENT 12326/cron
tcp 0 1 109.123.74.144:40921 89.184.165.21:6667 SYN_SENT 11729/klogd -c 1 -x
tcp 0 1 109.123.74.144:40903 89.184.165.21:6667 SYN_SENT 11724/klogd -c 1 -x
tcp 0 1 109.123.74.144:40929 89.184.165.21:6667 SYN_SENT 11135/klogd -c 1 -x
tcp 0 1 109.123.74.144:40933 89.184.165.21:6667 SYN_SENT 11732/[bash]
tcp 0 1 109.123.74.144:40938 89.184.165.21:6667 SYN_SENT 11727/cron
tcp 0 1 109.123.74.144:40936 89.184.165.21:6667 SYN_SENT 11140/acpid
tcp 0 1 109.123.74.144:54155 211.94.188.213:6667 SYN_SENT 3267/acpid
tcp 0 1 109.123.74.144:54162 211.94.188.213:6667 SYN_SENT 3275/syslogd
tcp 0 1 109.123.74.144:54137 211.94.188.213:6667 SYN_SENT 3271/cron
tcp 0 1 109.123.74.144:37316 23.19.156.51:6667 SYN_SENT 10366/klogd -c 1 -x
tcp 0 1 109.123.74.144:59265 23.19.156.51:6667 SYN_SENT 10369/cron
tcp 0 1 109.123.74.144:59311 23.19.156.51:6667 SYN_SENT 10374/syslogd
tcp 0 1 109.123.74.144:59234 23.19.156.51:6667 SYN_SENT 10371/cron

My first thought was DDOS based on the packet makeup (no useful content, just pure spam) but it isn't coming from any specific executable that I can see here...
 
Gillette said:
Looks like this is originating from a ton of services...

tcp 0 1 109.123.74.144:40831 89.184.165.21:6667 SYN_SENT 12331/syslogd
tcp 0 1 109.123.74.144:40858 89.184.165.21:6667 SYN_SENT 12328/httpd -DSSL
tcp 0 1 109.123.74.144:40856 89.184.165.21:6667 SYN_SENT 12319/acpid
tcp 0 1 109.123.74.144:40863 89.184.165.21:6667 SYN_SENT 11132/[bash]
tcp 0 1 109.123.74.144:40846 89.184.165.21:6667 SYN_SENT 11137/syslogd
tcp 0 1 109.123.74.144:40870 89.184.165.21:6667 SYN_SENT 12326/cron
tcp 0 1 109.123.74.144:40921 89.184.165.21:6667 SYN_SENT 11729/klogd -c 1 -x
tcp 0 1 109.123.74.144:40903 89.184.165.21:6667 SYN_SENT 11724/klogd -c 1 -x
tcp 0 1 109.123.74.144:40929 89.184.165.21:6667 SYN_SENT 11135/klogd -c 1 -x
tcp 0 1 109.123.74.144:40933 89.184.165.21:6667 SYN_SENT 11732/[bash]
tcp 0 1 109.123.74.144:40938 89.184.165.21:6667 SYN_SENT 11727/cron
tcp 0 1 109.123.74.144:40936 89.184.165.21:6667 SYN_SENT 11140/acpid
tcp 0 1 109.123.74.144:54155 211.94.188.213:6667 SYN_SENT 3267/acpid
tcp 0 1 109.123.74.144:54162 211.94.188.213:6667 SYN_SENT 3275/syslogd
tcp 0 1 109.123.74.144:54137 211.94.188.213:6667 SYN_SENT 3271/cron
tcp 0 1 109.123.74.144:37316 23.19.156.51:6667 SYN_SENT 10366/klogd -c 1 -x
tcp 0 1 109.123.74.144:59265 23.19.156.51:6667 SYN_SENT 10369/cron
tcp 0 1 109.123.74.144:59311 23.19.156.51:6667 SYN_SENT 10374/syslogd
tcp 0 1 109.123.74.144:59234 23.19.156.51:6667 SYN_SENT 10371/cron

My first thought was DDOS based on the packet makeup (no useful content, just pure spam) but it isn't coming from any specific executable that I can see here...
Click to expand...

Those logs look difference than what was posted with the OP. OP showed UDP traffic. Where the above is TCP traffic. Really do need to look at the running processes.
 
Gillette said:
Looks like this is originating from a ton of services...

tcp 0 1 109.123.74.144:40831 89.184.165.21:6667 SYN_SENT 12331/syslogd
tcp 0 1 109.123.74.144:40858 89.184.165.21:6667 SYN_SENT 12328/httpd -DSSL
tcp 0 1 109.123.74.144:40856 89.184.165.21:6667 SYN_SENT 12319/acpid
tcp 0 1 109.123.74.144:40863 89.184.165.21:6667 SYN_SENT 11132/[bash]
tcp 0 1 109.123.74.144:40846 89.184.165.21:6667 SYN_SENT 11137/syslogd
tcp 0 1 109.123.74.144:40870 89.184.165.21:6667 SYN_SENT 12326/cron
tcp 0 1 109.123.74.144:40921 89.184.165.21:6667 SYN_SENT 11729/klogd -c 1 -x
tcp 0 1 109.123.74.144:40903 89.184.165.21:6667 SYN_SENT 11724/klogd -c 1 -x
tcp 0 1 109.123.74.144:40929 89.184.165.21:6667 SYN_SENT 11135/klogd -c 1 -x
tcp 0 1 109.123.74.144:40933 89.184.165.21:6667 SYN_SENT 11732/[bash]
tcp 0 1 109.123.74.144:40938 89.184.165.21:6667 SYN_SENT 11727/cron
tcp 0 1 109.123.74.144:40936 89.184.165.21:6667 SYN_SENT 11140/acpid
tcp 0 1 109.123.74.144:54155 211.94.188.213:6667 SYN_SENT 3267/acpid
tcp 0 1 109.123.74.144:54162 211.94.188.213:6667 SYN_SENT 3275/syslogd
tcp 0 1 109.123.74.144:54137 211.94.188.213:6667 SYN_SENT 3271/cron
tcp 0 1 109.123.74.144:37316 23.19.156.51:6667 SYN_SENT 10366/klogd -c 1 -x
tcp 0 1 109.123.74.144:59265 23.19.156.51:6667 SYN_SENT 10369/cron
tcp 0 1 109.123.74.144:59311 23.19.156.51:6667 SYN_SENT 10374/syslogd
tcp 0 1 109.123.74.144:59234 23.19.156.51:6667 SYN_SENT 10371/cron

My first thought was DDOS based on the packet makeup (no useful content, just pure spam) but it isn't coming from any specific executable that I can see here...
Click to expand...

I just looked at this again. TCP port 6667 looks like someone has penetrated your system and has installed a irc script on it. Ad an IPtables firewall script to block traffic out port 6667
 
Same recommendation I just provided :) It's bandaid fix but it should keep him alive for the time being.

I didn't see any scary looking process names, but then again just going name deep won't tell me shit.
 
Gillette said:
Same recommendation I just provided :) It's bandaid fix but it should keep him alive for the time being.
Click to expand...

All the scripts that I have from my honeypots most put a back door in to protect the asset. I would block access to it from everywhere except your location. Backup what you need and reinstall the OS and harden it. That system is surely compromised. I would love to get a dd of the disk to play with.
 
Gillette said:
I didn't see any scary looking process names, but then again just going name deep won't tell me shit.
Click to expand...

Things can run as different processes, or even hidden. The netstat output shows enough to know that someone else now owns that system. lol look up those domains. CN, BR, RO. Welcome to a botnet.
 
Yeah my thoughts exactly after doing some digging... Donut is prepping for a long night of work backing up and reimaging :S

Thanks for the help.
 
I was able to get the needed iptables rules in place and the connections dropped. Something is still trying to get out via 6667. Nice little mess. :)
 
You must log in or register to reply here.
Back
Top