|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Proxy attackers/hijackers
From: Joe Stewart (jstewart
lurhq.com)
Date: Fri Oct 17 2003 - 09:15:37 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thursday 16 October 2003 11:31 pm, Jeff Kell wrote:
> We had an attempted proxy rape today on a trojanned dorm machine. No
> mail escaped thanks to firewalling but I did track down the culprits
> and the compromised ports (which appear random, they changed when the
> machine was rebooted). Do not have the machine (yet) for forensics
> to see what infected it, but it was providing two proxy ports on
> random ports that change when the machine is rebooted (apparently,
> given the time difference between the pairs of proxy ports below).
If the two proxy ports start at a random port but themselves are
sequential, it could be the Autoproxy trojan. A rash of these was
installed yesterday by a second mass-hack of a large webhosting
provider. Autoproxy can be detected when it attempts to make outbound
HTTP control connections (one is to a CGI script where it reports its
port numbers and stats, the other is to an uninvolved third-party
website for connectivity checking). In these connections it sets its
User-Agent header to "Autoproxy/0.2". The snort signature below will
catch these connections leaving your network and let you know if you
have any infected hosts.
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Autoproxy Trojan
control connection"; flags:A+; content: "|0d 0a 55 73 65 72 2d 41 67 65
6e 74 3a 20 41 75 74 6f 70 72 6f 78 79 2f|";
reference:url,www.lurhq.com/autoproxy.html; classtype:trojan-activity;
sid:1000028; rev:1;)
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/
---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]