List Info

Thread: spyware issue
spyware issue
user name
 2006-11-02 14:00:07 
Thanks Eric.  In examining some of the data it looks like
one of my
mystery IP's is an IM Spam bot.  Since it doesn't route
within our
network it gets dropped but I don't understand why someone
would do
this.  I figure you would want the biggest bang for your
buck so you
should utilize the system's IP and routing table.
Below is a snippet of a packet with it's ASCII payload.  The
whois
show's both the src and dest range's belong to a
sandy.thehideout.net
which has some association with
http://ww
w.smartmeasurement.com/en/home.asp and the payload shows
a
link of http://fixpcreg.com.  Not
sure if the IP is a randomly used
spoofed IP or if they have some associate to it whatsoever. 
Either
way thehideout.net does bring up a lot of squawking in a
google
search.

01:43:12.249690 IP (tos 0x0, ttl  53, id 0, offset 0, flags
[DF],
proto 17, length: 585) 204.16.208.80.32770 >
206.132.232.184.1026:
 [udp sum ok] UDP, length 557
        0x0000:  4500 0249 0000 4000 3511 f005 cc10 d050 
E..I...5......P
        0x0010:  ce84 e8b8 8002 0402 0235 6652 0400 2800 
.........5fR..(.
        0x0020:  1000 0000 0000 0000 0000 0000 0000 0000 
................
        0x0030:  0000 0000 f891 7b5a 00ff d011 a9b2 00c0 
......{Z........
        0x0040:  4fb6 e6fc 5216 4f57 e614 f627 a125 4393 
O...R.OW...'.%C.
        0x0050:  9327 90f0 0000 0000 0100 0000 0000 0000 
.'..............
        0x0060:  0000 ffff ffff dd01 0000 0000 1000 0000 
................
        0x0070:  0000 0000 1000 0000 5345 4355 5249 5459 
........SECURITY
        0x0080:  0000 0000 0000 0000 1000 0000 0000 0000 
................
        0x0090:  1000 0000 414c 4552 5400 0000 0000 0000 
....ALERT.......
        0x00a0:  0000 0000 9901 0000 0000 0000 9901 0000 
................
        0x00b0:  4d65 7373 6167 6520 6672 6f6d 2053 4543 
Message.from.SEC
        0x00c0:  5552 4954 595f 4d4f 4e49 544f 5220 746f 
URITY_MONITOR.to
        0x00d0:  2055 5345 5220 6f6e 2031 302f 3233 2f32 
.USER.on.10/23/2
        0x00e0:  3030 3620 3135 3a35 333a 3335 0a54 6865 
006.15:53:35.The
        0x00f0:  7265 206d 6179 6265 2061 2043 5249 5449 
re.maybe.a.CRITI
        0x0100:  4341 4c20 5245 4749 5354 5259 2045 5252 
CAL.REGISTRY.ERR
        0x0110:  4f52 2e0a 0a54 6f20 7265 6d6f 7665 2074 
OR...To.remove.t
        0x0120:  6865 2043 5249 5449 4341 4c20 4552 524f 
he.CRITICAL.ERRO
        0x0130:  5220 706c 6561 7365 2064 6f20 7468 6520 
R.please.do.the.
        0x0140:  666f 6c6c 6f77 696e 673a 0a31 2e20 436c 
following:.1..Cl
        0x0150:  6963 6b20 7468 6520 7374 6172 7420 6275 
ick.the.start.bu
        0x0160:  7474 6f6e 0a32 2e20 436c 6963 6b20 5275 
tton.2..Click.Ru
        0x0170:  6e2e 0a33 2e20 5479 7065 2069 6e20 6874 
n..3..Type.in.ht
        0x0180:  7470 3a2f 2f66 6978 7063 7265 672e 636f 
tp://fixpcreg.co
        0x0190:  6d0a 342e 2049 6e73 7461 6c6c 2052 6567 
m.4..Install.Reg
        0x01a0:  6973 7472 7920 5265 6d6f 7665 720a 352e 
istry.Remover.5.
        0x01b0:  2052 756e 2052 6567 6973 7472 7920 5265 
.Run.Registry.Re
        0x01c0:  6d6f 7665 7220 446f 630a 362e 2052 6562 
mover.Doc.6..Reb
        0x01d0:  6f6f 7420 796f 7572 2063 6f6d 7075 7465 
oot.your.compute
        0x01e0:  720a 0a46 4149 4c55 5245 2054 4f20 4143 
r..FAILURE.TO.AC
        0x01f0:  5420 4e4f 5720 4d41 5920 4c45 4144 2054 
T.NOW.MAY.LEAD.T
        0x0200:  4f20 4441 5441 2043 4f52 5255 5054 494f 
O.DATA.CORRUPTIO
        0x0210:  4e2c 2041 4e44 2053 5452 414e 4745 5253 
N,.AND.STRANGERS
        0x0220:  200a 4841 5649 4e47 2041 4343 4553 5320 
..HAVING.ACCESS.
        0x0230:  544f 2059 4f55 5220 5045 5253 4f4e 414c 
TO.YOUR.PERSONAL
        0x0240:  2046 494c 4553 210a 00                  
.FILES!..

-Nick Baronian


On 11/1/06, Eric F <eric.f.nagmail.com> wrote:
> I've heard of situations where legitmate, routable (and
sometimes abandoned
> or unused) IP space is used by spammers - "address
space hijacking".
>
>  This may or may not be what you're seeing, but it's
something to consider.
>
>  Let me know if you are looking for more information.
>
>  -Eric
>
> On 10/27/06, Nick Baronian <kvetchgmail.com> wrote:
> > I had a machine on my network that had was
infected with some viruses
> > and malware.  The machine has been wiped and
rebuilt but I noticed
> > going thru my IDS logs for that day I saw a couple
IP's in my lan that
> > were not mine and they were routable.  Do some
forms of malware/bots
> > have a static addresses?  I have heard some bots
have their own
> > network stack but I just wasn't clear if this was
true or not because
> > I would just assume not, even though it would be
harder to track down
> > the bot if they did have their own addresses but
because of possible
> > routing issues I would think they would not go
this way.
> >
> > Thanks,
> > Nick
> >
>
>
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )