IMHO, it might be some botnet command center, which sends UDP probes
to check if your host infected. It is interesting in case you resend
same UDP packet back :)
Here is a clue for UDP managed trojan - it is looking for UDP packets
containing word "DOM":
http://old.honeynet.org/scans/scan21/sol/scan21_turner.txt
2009/10/26 boris mutina <boris.mutina (at) gmail (dot) com [email concealed]>:
> Dear list readers,
> for unknown reason I decided to create very lame honeypot. I took WXP,
> enabled IIS and forwarded ports 80 and 135 (both TCP and UDP). Then I
> started IIS logging and started Wireshark to capture everything on the
> wire. I was not expecting any special result but what I got is
> something I cannot explain.
> From remote host there is a communication request represented by SYN
> packet to the honeypot port 80. Honeypot responds with SYN/ACK and
> before it receives ACK, UDP datagram to port 80 is received from that
> host with payload of length of 19 bytes (sometimes it is 20 or even 21
> bytes, dunno why). Then after ACK from remote host TCP data is sent
> (it appears like HTTP data but it is not), usually with variable
> length of 20-80 bytes or so. Honeypot sends ACK to this, then there is
> a 59 seconds delay and then FIN/ACK from remote host followed by ACK
> and FIN/ACK by honeypot and ACK by remote host.
> Strange things i cannot explain are these:
> 1. UDP payload 3rd byte is always 02
> 2. I tried to connect back to these systems using netcat to the
> portnumber from which the UDP datagram came from: I tried this:
> ross@rommy:~$ nc 93.113.XXX.XXX 56856
> GET / HTTP/1.0
>
> HTTP/1.0 404 Not Found
> 3. Tried this:
> ross@rommy:~$ nc 93.116.XXX.XXX 56856
> HEAD / HTTP/1.0
> eáÊÃ|Ø(kN|ųDz«n»Íà
> DÐLq<e4á]ÌÐ %Ax&ߥ[P¾\ª(yVO´ÂËqî
> ÚØi¿d
> ò;°aw¼ý
> sY¶/
>
> 4.Now the most crazy thing is, that these "probes" repeat in
> relatively precise time interval - 7220 seconds.
>
> Can anybody explain me, what the heck is going on? Or am I just
> chasing a ghost? I can send the data sample upon request.
>
> bm
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------
>
>
--
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com
http://www.linkedin.com/in/gpaharenko
+380503116172
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
IMHO, it might be some botnet command center, which sends UDP probes
to check if your host infected. It is interesting in case you resend
same UDP packet back :)
Here is a clue for UDP managed trojan - it is looking for UDP packets
containing word "DOM":
http://old.honeynet.org/scans/scan21/sol/scan21_turner.txt
2009/10/26 boris mutina <boris.mutina (at) gmail (dot) com [email concealed]>:
> Dear list readers,
> for unknown reason I decided to create very lame honeypot. I took WXP,
> enabled IIS and forwarded ports 80 and 135 (both TCP and UDP). Then I
> started IIS logging and started Wireshark to capture everything on the
> wire. I was not expecting any special result but what I got is
> something I cannot explain.
> From remote host there is a communication request represented by SYN
> packet to the honeypot port 80. Honeypot responds with SYN/ACK and
> before it receives ACK, UDP datagram to port 80 is received from that
> host with payload of length of 19 bytes (sometimes it is 20 or even 21
> bytes, dunno why). Then after ACK from remote host TCP data is sent
> (it appears like HTTP data but it is not), usually with variable
> length of 20-80 bytes or so. Honeypot sends ACK to this, then there is
> a 59 seconds delay and then FIN/ACK from remote host followed by ACK
> and FIN/ACK by honeypot and ACK by remote host.
> Strange things i cannot explain are these:
> 1. UDP payload 3rd byte is always 02
> 2. I tried to connect back to these systems using netcat to the
> portnumber from which the UDP datagram came from: I tried this:
> ross@rommy:~$ nc 93.113.XXX.XXX 56856
> GET / HTTP/1.0
>
> HTTP/1.0 404 Not Found
> 3. Tried this:
> ross@rommy:~$ nc 93.116.XXX.XXX 56856
> HEAD / HTTP/1.0
> eáÊÃ|Ø(kN|ųDz«n»Íà
> DÐLq<e4á]ÌÐ %Ax&ߥ[P¾\ª(yVO´ÂËqî
> ÚØi¿d
> ò;°aw¼ý
> sY¶/
>
> 4.Now the most crazy thing is, that these "probes" repeat in
> relatively precise time interval - 7220 seconds.
>
> Can anybody explain me, what the heck is going on? Or am I just
> chasing a ghost? I can send the data sample upon request.
>
> bm
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------
>
>
--
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com
http://www.linkedin.com/in/gpaharenko
+380503116172
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]