|
madopal
|
 |
« on: November 14, 2007, 03:21:54 pm » |
|
I got a strange thing in my log today. Nov 14 14:13:46 redking sshd[21321]: Bad protocol version identification 'GET http://www.google.com/ HTTP/1.0' from 69.182.111.5
I'm running ssh on a nonstandard port, so it's even weirder. As I began to check on that IP address, things got stranger still. Running nmap showed a bunch of ports open: ftp, http, dns, pop3, and some Microsoft specific stuff. I tried to log into ftp, and got the following message: Connected to 69.182.111.5 (69.182.111.5).
220- Web2.hamiltonjones.com WAR-FTPD 1.67-05 Ready
220 Please enter your user name.
So, a whois on hamiltonjones.com said that there were 2 DNS's: Domain servers in listed order:
WEB1.HAMILTONJONES.COM 69.57.156.24
WEB2.HAMILTONJONES.COM 69.182.111.5
Apparently it's one of Hamilton Jones' DNS. However, it seemed weird to me that the web port would be open for it. When I hit the IP with a browser, I got an error trying to redirect to f7smq058.superoureland.org. A whois for superoureland.org shows Chinese contact info, and a Google on the domain shows the domain is in some RBL's. Since it's running some Microsoft stuff that showed up from my nmap scan, I'm guessing it's been root'ed. Now, questions: 1) I sent e-mail to the contact info listed on the site/whois, but is there anything else I can do to try and make them aware that their DNS is being used nefariously? 2) The website for Hamilton Jones looks a bit dodgy itself. Could it be a front for spamming/other? 3) Is there anything else anyone here can find out about that machine? I'm not much into script kiddie rootkiting, so maybe someone else here can try and see if that thing is spewing garbage. Should I do anything else? Am I wrong here in thinking this server is probably doing port scans? Could there be some other explanation for it directing a GET request to a nonstandard port on my machine? |
|
|
|
|
|
|
|
Defcon 5
|
|
« Reply #1 on: November 14, 2007, 03:52:29 pm » |
|
swoosh straight over my head  . Sounds like a job for Darksat. |
|
|
|
|
|
Darksat
|
|
« Reply #2 on: November 15, 2007, 06:28:35 am » |
|
Well first off a quick look at the hamiltonjones website tells me it wasnt made by hackers.
IIS6 and ASP.net 1.1 plus the design of the site says to me that it was made by a network admin who is learning .net and was roped into making the site cause he is the IT guy, jack of all trades, master of none, including security.
Out of date technology just screaming hack me.
Looking at what is happening I would say its chinese hackers creating web tunnels and proxies to bypass the chinese firewall.
They rooted the hamilton jones site but are routing everything through the backup IP so that they dont affect any primary systems and are not noticed.
They were probably testing your machine to see if they could create a web tunnel for surfing.
Hence the google request.
Naughty, tricky but I can kind of understand the desire to surf the web unimpeeded by the chinese government.
What you do with this info I leave up to you.
|
|
|
|
|
|
madopal
|
|
« Reply #3 on: November 15, 2007, 09:17:40 am » |
|
Well, if it's something that altruistic, there's no way I'm gonna do anything more. Still confused as to how a web request got routed to a semi-random port on my machine. Perhaps their tunneling software isn't quite beta.
Either way, that's interesting to think about. Have you actually seen such exploits in the wild?
|
|
|
|
|
|
Darksat
|
|
« Reply #4 on: November 15, 2007, 09:26:22 am » |
|
Im guessing they just did a port scan then tried to bounce a web request through any open ports they could not identify.
I know that china has a huge ammount of these types of exploits.
If you want to bypass the chinese firewall this is exactly the sort of thing you would need to learn how to do.
Im guessing it was a beginner trying to make a couple of different routes to use.
|
|
|
|
|
|
Defcon 5
|
|
« Reply #5 on: November 15, 2007, 10:10:52 am » |
|
Just curious but was it the fact they where trying to get through a SSH tunnel they could not get access?  |
|
|
|
|
|
Darksat
|
|
« Reply #6 on: November 16, 2007, 06:22:13 pm » |
|
I think it was a probe.
As far as I can see they managed to punch a hole in the hamiltonjones system and were/are connecting that to the second server which lies at the other side of the chinese firewall.
Eg Superoureland.org is hosted from a server in a chinese city of Taiyuan near Beijing and hamiltonjones is located in the US.
Thats your tunnel out right there, im guessing once they got out they stated looking for another system to run a connection through in case the first one got discovered, which is why they were looking for open SSH connections, the get google request was simply them seing if they could establish another connection through your machine.
Remember, they cant run port scans from inside the firewall so they will have to use the first tunnel to establish secondary connections.
|
|
|
|
« Last Edit: November 16, 2007, 06:25:29 pm by Darksat »
|
Report Spam
Logged
|
|
|
|
|
madopal
|
|
« Reply #7 on: November 19, 2007, 02:45:14 pm » |
|
Just curious but was it the fact they where trying to get through a SSH tunnel they could not get access? Yeah, that was a red flag. I run my own server for giggles. Nothing serious. But I had a TON of brute force hack attempts on my server. We even got hacked a few times at work (we're small, I help out doing sysadmin there as well) because of brute force attacks & a weak password. Anyway, so one of the countermeasures I took was to move my SSH port WAY up into the nonstandard port range. Since I've done that, my hack attempts (at least those...I still get a lot of web overflow attempts) have dropped off to almost 0. I'd say I'm lucky if I get 3 unknown connections a year now. So, the fact that a) it was a GET request on something nowhere NEAR a standard web port raised flag #1, and b) the fact that it was for www.google.com raised flag #2. Oh, and this showed up on Slashdot today. Made me wonder if it was something like this. http://slashdot.org/article.pl?sid=07/11/18/1824230 |
|
|
|
|
|
Defcon 5
|
|
« Reply #8 on: November 19, 2007, 03:53:02 pm » |
|
I would of thought they target standard ports looking for a idiotic sysadmin? Oh i just read it again they do  , just a few that didn't. Or am I missing something are their better things hidden on nonstandard ports? |
|
|
|
|
|
madopal
|
|
« Reply #9 on: November 19, 2007, 04:14:26 pm » |
|
You're right...most standard hacks hit the normal ports. If they're attacking the web, you see it on port 80. If they're attacking SSH, it's 22. This is the first time I've seen anything other than a SSH request on that port.
That's what I don't get. It seems like it would take too much time to comb all of those higher non-standard ports. So, that leads me to believe a) it was a mistake in their code, b) it was a mistake in their data (like my IP was a typo or something), or c) something else nonstandard runs on that port. I guess c is most likely...it's probably just luck, and they tried my machine to see if something was running there. If it was a common thing, I'd expect to have seen more GET's on that port, so it's probably some thing custom and I just came up on a warprobe or something.
|
|
|
|
|
|
Darksat
|
|
« Reply #10 on: November 20, 2007, 04:17:09 pm » |
|
I wouldnt be surprised if they were/are scanning every PC they can to make more connections.
|
|
|
|
|
|
madopal
|
|
« Reply #11 on: November 23, 2007, 09:02:04 am » |
|
Got another one. Three hits so far this morning, one at 7:52, one at 8:18, and one at 8:45. Nov 23 08:44:44 redking sshd[17649]: Bad protocol version identification 'GET
http://www.microsoft.com/ HTTP/1.0' from 199.8.89.120
Nmap results: Interesting ports on esther.huntington.edu (199.8.89.120):
25/tcp open smtp
53/tcp open domain ISC Bind 8.4.4
80/tcp open http Microsoft IIS webserver 6.0
443/tcp closed https
Web is passworded. SMTP doesn't appear to accept standard commands. Entering HELP or HELO gets me "503 Not Implement." Then it disconnects. Server appears to be secure other than whatever port scanning it is doing. Since this one appears to be a secure university IIS machine, I'm not sure what's going on anymore. I could see Chinese students aiming for the low hanging fruit of underutilized DNS machines, but this machine seems like it'd be more of a tough nut to crack. After some more Googling, I've seen people trying to use a web request as a buffer overflow to get an SSH, but since I don't see why anyone would think I'd be running ssh on that port, I'm not sure that makes sense. The other possibility is that this is some bot network, and once it found my port running ssh, it passed my IP/port on to the botnet, and now I'm going to be getting probed from all over. If I see more machines start knocking, it may be time to shift ports. |
|
|
|
|
|
Defcon 5
|
|
« Reply #12 on: November 23, 2007, 12:03:45 pm » |
|
Secure IIS machine, theirs such thing!!! . I need to look up more on buffer overflow, i thought that stops their server doing anything? |
|
|
|
|
|
madopal
|
|
« Reply #13 on: November 23, 2007, 12:15:26 pm » |
|
Wow, it's really banging on my door. I added its IP to hosts.deny after it kept trying, but that doesn't seem to be dissuading it. I think there's NO coincidence to the fact that it's using a university machine over the Thanksgiving holiday here in the states. - Nov 23 07:52:12
- Nov 23 08:17:54
- Nov 23 08:44:44
- Nov 23 09:09:52
- Nov 23 09:33:42
- Nov 23 09:56:53
- Nov 23 10:19:43 *
- Nov 23 10:43:25 *
- Nov 23 11:06:58 *
- Nov 23 11:30:23 *
- Nov 23 11:52:29*
* - connection blocked from hosts.deny Stats so far: # connection attempts: 11 Avg between attempts: 23:59 Min between attempts: 22:06 Max between attempts: 26:50 |
|
|
|
|
|
Defcon 5
|
|
« Reply #14 on: November 23, 2007, 01:01:14 pm » |
|
Tut tut what you watching your server on thanks giving!
|
|
|
|
|
|
|
|
