Security Incidents mailing list archives
Re: FW: PPark (was: Win 95 Question)
From: rgula () SECURITYWIZARDS COM (Ron Gula)
Date: Mon, 28 Feb 2000 07:00:59 -0500
We just started to deploy some PPark Dragon signatures at some of our test customers and have had a hit at every site. I'd say it's pretty wide spread because these test sites are all fairly diverse. Here is an example log from a medium dial-ISP: bash-2.03# mklog -l -e SMTP:PRETTY-PARK ** Make Logs Tool - Copyright 1999 Network Security Wizards ** http://www.securitywizards.com ** Printing 'dragon.log' style data ** Printing events of type [SMTP:PRETTY-PARK ** Date: Sunday February 27 2000 05:14:21 [T] 208.48.218.21 xxx.xxx.72.2 [SMTP:PRETTY-PARK] (tcp,dp=25,sp=29599) (dragon-sensor) 09:06:19 [T] 209.69.227.9 xxx.xxx.72.2 [SMTP:PRETTY-PARK] (tcp,dp=25,sp=2672) (dragon-sensor) 13:47:53 [T] 207.69.128.51 xxx.xxx.72.2 [SMTP:PRETTY-PARK] (tcp,dp=25,sp=9895) (dragon-sensor) 15:25:44 [T] 207.115.58.59 xxx.xxx.72.2 [SMTP:PRETTY-PARK] (tcp,dp=25,sp=34651) (dragon-sensor) 15:51:03 [T] 207.172.4.61 xxx.xxx.72.2 [SMTP:PRETTY-PARK] (tcp,dp=25,sp=59820) (dragon-sensor) 17:38:13 [T] 204.157.228.197 xxx.xxx.72.2 [SMTP:PRETTY-PARK] (tcp,dp=25,sp=2405) (dragon-sensor) 17:59:31 [T] 205.160.234.10 xxx.xxx.72.2 [SMTP:PRETTY-PARK] (tcp,dp=25,sp=3706) (dragon-sensor) 19:04:23 [T] 209.125.189.131 xxx.xxx.72.2 [SMTP:PRETTY-PARK] (tcp,dp=25,sp=4377) (dragon-sensor) 20:32:20 [T] 193.216.69.103 xxx.xxx.72.2 [SMTP:PRETTY-PARK] (tcp,dp=25,sp=43786) (dragon-sensor) 20:44:44 [T] 106.231.75.216 xxx.xxx.72.2 [SMTP:PRETTY-PARK] (tcp,dp=25,sp=55509) (dragon-sensor) 20:48:27 [T] 106.231.75.208 xxx.xxx.72.2 [SMTP:PRETTY-PARK] (tcp,dp=25,sp=40698) (dragon-sensor) 20:53:15 [T] 106.231.75.200 xxx.xxx.72.2 [SMTP:PRETTY-PARK] (tcp,dp=25,sp=55692) (dragon-sensor) 20:56:05 [T] 106.231.75.200 xxx.xxx.72.2 [SMTP:PRETTY-PARK] (tcp,dp=25,sp=56869) (dragon-sensor) 21:03:31 [T] 106.231.75.234 xxx.xxx.72.2 [SMTP:PRETTY-PARK] (tcp,dp=25,sp=35735) (dragon-sensor) 21:11:17 [T] 204.127.131.52 xxx.xxx.72.2 [SMTP:PRETTY-PARK] (tcp,dp=25,sp=61243) (dragon-sensor) 21:22:26 [T] 128.173.16.30 xxx.xxx.72.2 [SMTP:PRETTY-PARK] (tcp,dp=25,sp=2746) (dragon-sensor) It's comforting to see that all of the messages were going too the mail server (xxx.xxx.72.2) and none coming from compromised dial up clients.
I think trying to come up with a finger-print to detect PP would be useful if we got any major IDS db-administrators to include it in their detectors.
Actually, one of our customers submitted the original test Dragon signatures which got our attention.
I'm afraid the sequence may be too fuzzy for any effective way to
spot it, but this is an example case:
src:any -> any:6667
data: 'USER <rchar(5)> <rchar(6)> <rchar(7)> :<rchar(8)>'
ie.
windows:1042 -> box:6667
data: 'USER dP{DC TyPvaR Q}FwDHv :oAOKNI{q'
(without the quotes)
We have not fully analyzed a live compromised PPark server in our lab yet. What we have not been able to determine is which IRC group(s) a PPark server may join? The list of target IRC servers has been published and this is the first real trace of an IRC "USER" event, but it would also be useful to see some packet traces of the entire session. Thanks Ron Gula Network Security Wizards http://www.securitywizards.com
Current thread:
- FW: PPark (was: Win 95 Question) Ville (Feb 25)
- Re: FW: PPark (was: Win 95 Question) Brett Glass (Feb 26)
- Re: FW: PPark (was: Win 95 Question) Ville (Feb 26)
- Re: FW: PPark (was: Win 95 Question) Ron Gula (Feb 28)
- Re: FW: PPark (was: Win 95 Question) Russell Fulton (Feb 28)
- Re: FW: PPark (was: Win 95 Question) Brett Glass (Feb 28)
- Re: FW: PPark (was: Win 95 Question) Ville (Feb 26)
- Re: FW: PPark (was: Win 95 Question) Brett Glass (Feb 26)