Created: 22-Feb-2001
Modified: 22-Feb-2001
By: Lawrence Baldwin
We're seeing a high volume of Netbus scans orginating from Korean IP addresses
since Feb 2001:
myNetWatchman
Netbus Incidents
I know this could just be individual kiddies actually using the Netbus tool
especially since Korea has one of the largest installed base of ADSL users in
the world. However, the target IPs seem to be random (not doing sequential scanning).
Also, I've reverse probed nearly a dozen sources of these scans, all have port
139 open (and I believe open shares). My suspicion is that this is some kind
of new worm that spreads through open shares and is collecting a database of
IP addresses with installed Netbus servers. The main signature of this attack
pattern is 3-4 Netbus probes (12345/tcp) with ~700ms delay between each probe.
Frame Status Source Address Dest. Address Size Rel. Time Delta Time Abs. Time Summary
1 M [211.59.47.233] [209.214.36.XXX] 70 0:00:00.000 0.000.000 02/22/2001 01:36:52 AM TCP: D=12345 S=2616 SYN SEQ=7873728 LEN=0 WIN=8192
2 [211.59.47.233] [209.214.36.XXX] 70 0:00:00.654 0.654.085 02/22/2001 01:36:52 AM TCP: D=12345 S=2616 SYN (Retransmission of Frame 1) SEQ=7873728 LEN=0 WIN=8192
3 [211.59.47.233] [209.214.36.XXX] 70 0:00:01.437 0.783.486 02/22/2001 01:36:53 AM TCP: D=12345 S=2616 SYN (Retransmission of Frame 1) SEQ=7873728 LEN=0 WIN=8192
4 [211.59.47.233] [209.214.36.XXX] 70 0:00:02.113 0.676.314 02/22/2001 01:36:54 AM TCP: D=12345 S=2616 SYN (Retransmission of Frame 1) SEQ=7873728 LEN=0 WIN=8192
Here is the full decode of Frame 1:
DLC: ----- DLC Header -----
DLC:
DLC: Frame 1 arrived at 01:36:52.1958; frame size is 70 (0046 hex) bytes.
DLC: Destination = Station Intel XXXXXX
DLC: Source = Station 001067008D8A
DLC: Ethertype = 8864
DLC:
PPPOE: ----- PPPoE Header -----
PPPOE:
PPPOE: Ethernet Type= (0x8864) "PPP Session Stage"
PPPOE: Version = 1
PPPOE: Type = 1
PPPOE: Code = 0
PPPOE: Session ID = 30466
PPPOE: Payload length = 50
PPPOE: --- Payload In Session Stage---
PPPOE:
PPP: ----- Point-to-Point Protocol -----
PPP:
PPP: Protocol = 0021 (Internet)
PPP:
IP: ----- IP Header -----
IP:
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = ECT bit - transport protocol will ignore the CE bit
IP: .... ...0 = CE bit - no congestion
IP: Total length = 48 bytes
IP: Identification = 20802
IP: Flags = 4X
IP: .1.. .... = don't fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 114 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = BE3A (correct)
IP: Source address = [211.59.47.233]
IP: Destination address = [209.214.36.XXX]
IP: No options
IP:
TCP: ----- TCP header -----
TCP:
TCP: Source port = 2616
TCP: Destination port = 12345
TCP: Initial sequence number = 7873728
TCP: Next expected Seq number= 7873729
TCP: Data offset = 28 bytes
TCP: Flags = 02
TCP: ..0. .... = (No urgent pointer)
TCP: ...0 .... = (No acknowledgment)
TCP: .... 0... = (No push)
TCP: .... .0.. = (No reset)
TCP: .... ..1. = SYN
TCP: .... ...0 = (No FIN)
TCP: Window = 8192
TCP: Checksum = 0A2B (correct)
TCP:
TCP: Options follow
TCP: Maximum segment size = 1460
TCP: No-op
TCP: No-op
TCP: SACK-Permitted Option
TCP:
|
