On Sat, 15 Feb 2003 23:02:48 -0500 "Rob Shein" <shoten (at) starpower (dot) net [email concealed]> wrote:
> Ah, a honeypot...a good question comes to mind. Does anyone have any info
> on what a Kuang2 backdoor looks like to a scanner? I'd rather not install
> one myself and work to figure it out if anyone else has done the work
> already...

I just caught one on one of my /16 networks. I noticed the machine because it created
several GB of IP Protocol 255 traffic last night aimed as a cablemodem. Here's what an
NMAP of the machine looks like:

(The 65528 ports scanned but not shown below are in state: closed)
Port State Service (RPC)
80/tcp filtered http
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
5000/tcp open UPnP
17300/tcp open unknown
Remote OS guesses: Windows Millennium Edition (Me), Win 2000, or WinXP, MS Windows2000 Professional RC1/W2K Advance Server Beta3

It's definitely got Kuang2 on it:

% telnet 128.101.X.Y 17300
Trying 128.101.X.Y...
Connected to XXXXXXXXX.umn.edu.
Escape character is '^]'.
YOK2BENNY°ùR>õõwè >>6>ùR ûR$øw U÷wÿÿõõwÍõwõw-ww(üRwh%

And, Nessus flags 17300/TCP as Kuang2.

Grabbing some traffic to/from the machine, it appears to only be doing
IRC at the moment:

11:45:44.910196 209.126.161.29.ircd > XXXXXXXX.umn.edu.4171: P 1153785951:1153786075(124) ack 8633779 win 32120 (DF)
11:45:45.095084 XXXXXXXX.umn.edu.4171 > 209.126.161.29.ircd: . ack 124 win 17209 (DF)
11:45:49.530129 209.126.161.29.ircd > XXXXXXXX.umn.edu.4171: P 124:206(82) ack 1 win 32120 (DF)
11:45:49.705017 XXXXXXXX.umn.edu.4171 > 209.126.161.29.ircd: . ack 206 win 17127 (DF)

Dumping the TCP session shows traffic in the channel:

:Nosibvyzt!~Nosibvyzt (at) pc1-nfds2-6-cust10.nott.cable.ntl (dot) com [email concealed] JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
:wolhglsli!~wolhglsli (at) 195.175.79 (dot) 42 [email concealed] QUIT :Read error: 104 (Connection reset by peer)^M
:Skrcgirl!~Skrcgirl (at) Morristown-68-118-83-195.chartertn (dot) net [email concealed] JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
:Rbizcoced!~Rbizcoced (at) dhcp024-210-152-184.woh.rr (dot) com [email concealed] QUIT :Ping timeout: 600 seconds^M
:Kadisfutr!~Kadisfutr (at) 211.191.2 (dot) 117 [email concealed] QUIT :Ping timeout: 600 seconds^M
:mskspwn!~mskspwn (at) 195.175.78 (dot) 105 [email concealed] QUIT :Read error: 104 (Connection reset by peer)^M
:Woicdonic!~Woicdonic (at) usr3152-edi.blueyonder.co (dot) uk [email concealed] JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
:mlkaglali!~mlkaglali (at) pcp01975916pcs.essex01.md.comcast (dot) net [email concealed] QUIT :Read error: 104 (Connection reset by peer)^M
:Rosjhgly!~Rosjhgly (at) 211.178.173 (dot) 154 [email concealed] JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
:Sscpceih!~Sscpceih (at) cable1-137.shenhgts (dot) net [email concealed] JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
:Diencoke!~Diencoke (at) 211.222.186 (dot) 221 [email concealed] QUIT :Ping timeout: 600 seconds^M
:Mikemlyt!~Mikemlyt (at) 211.198.127 (dot) 78 [email concealed] JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
:Kiwnpdti!~Kiwnpdti (at) 12-252-81-85.client.attbi (dot) com [email concealed] JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
:Mixeboyz!~Mixeboyz (at) c-97e472d5.038-85-73746f37.cust.bredbandsbolaget (dot) se [email concealed] JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
:Aglfsoush!~Aglfsoush (at) pm3-2-210.htg (dot) net [email concealed] JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
:rarmnyj!~rarmnyj (at) N896P020.adsl.highway.telekom (dot) at [email concealed] QUIT :Read error: 104 (Connection reset by peer)^M
:Migegtki!~Migegtki (at) pcp03043874pcs.andrsn01.tn.comcast (dot) net [email concealed] QUIT :Ping timeout: 600 seconds^M
:Niwfmlnep!~Niwfmlnep (at) pD9E510BD.dip.t-dialin (dot) net [email concealed] QUIT :Ping timeout: 600 seconds^M
:kirmrao!~kirmrao (at) user-1694.bbd18tcl.dsl.pol.co (dot) uk [email concealed] QUIT :Ping timeout: 600 seconds^M
:Radicolwi!~Radicolwi (at) 61.84.62 (dot) 133 [email concealed] QUIT :Ping timeout: 600 seconds^M
:Rhcvmicha!~Rhcvmicha (at) HSE-London-ppp208618.sympatico (dot) ca [email concealed] JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
:radieilha!~radieilha (at) adsl-153-99-155.mia.bellsouth (dot) net [email concealed] JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
:Oaycboy!~Oaycboy (at) CZ1-RAS-1-u-0078.du.onolab (dot) com [email concealed] QUIT :Ping timeout: 600 seconds^M
:garcpiche!~garcpiche (at) ASte-Genev-Bois-111-1-1-161.abo.wanadoo (dot) fr [email concealed] QUIT :Ping timeout: 600 seconds^M
:Siepslu!~Siepslu (at) cable-213-132-151-242.upc.chello (dot) be [email concealed] QUIT :Ping timeout: 600 seconds^M
:Stmpsoueh!~Stmpsoueh (at) physp2.physx.u-szeged (dot) hu [email concealed] QUIT :Read error: 104 (Connection reset by peer)^M
:Siepslu!~Siepslu (at) cable-213-132-151-242.upc.chello (dot) be [email concealed] JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
:Tirxplt!~Tirxplt (at) ool-18bc17fc.dyn.optonline (dot) net [email concealed] JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
:gagsiok!~gagsiok (at) AValence-101-2-1-139.abo.wanadoo (dot) fr [email concealed] QUIT :Read error: 104 (Connection reset by peer)^M

Looks like a bot net to me.

Paul
--
Paul Dokas dokas (at) cs.umn (dot) edu [email concealed]
======================================================================
Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

[ reply ]