Trojan on RH7.2 via UDP port 32768, please help!

LionKing · 01-12-2002, 10:32 AM

I need help, it seems my new RH7.2 box got some type of Trojan running on UDP port 32768. but I am not sure what is it. I need some help.

This is a RH7.2 which I rebuild about a week ago to upgrade from RH7.1 to RH7.2, I reinstalled from scratch via ftp download, so many services automatically started, I immediately used #setup to reconfigure the system services (with system connected online), and then rebooted the system. I noticed udp port 32768 was in state
0 0.0.0.0:32768 0.0.0.0:*
initially I did not pay much attention to it, because I thought this is newly buildt system, it must be something running by default.
But obviously I was wrong, it appears it has Trojan running, and I have been trying to search the net and figure out what type of Trajon it is, so I can find way to clearn it. Searching the net has not been successful to identify the type of Trojan. So I need your guys help please.

This machine is used as gateway & dhcp for my home network, the machine does ip_masquerate for several PCs including a couple of PCs for kids. I have not got time to configure it firewall componets because RH7.2 complains
cannot open file `/proc/net/ip_masquerade'
and so I have iptable running, and I am not fimilar it, to transfer ipchains script to iptables.
This RH7.2 has two ethernet cards:
eth0 192.168.1.254 (internal)
eth1 12.237.88.143 (external)

The strange activities shown from tcpdump:
tcpdump -i eth1 -p udp -n

01:54:29.544853 12.237.88.143.32768 > 216.239.34.10.domain: 32516 A? www.google.com. (32) (DF)
01:54:29.644853 216.239.34.10.domain > 12.237.88.143.32768: 32516*- 1/4/4 A 216.239.33.101 (184)
01:54:43.804853 12.237.88.143.32768 > 192.41.162.30.domain: 49026 A? www.dsinet.org. (32) (DF)
01:54:43.854853 192.41.162.30.domain > 12.237.88.143.32768: 49026- 0/2/0 (91)
01:54:43.864853 12.237.88.143.32768 > 198.6.1.82.domain: 61422 [1au] A? NS2.NOVAXESS.NL. OPT UDPsize=2048 (44) (DF)
01:54:43.864853 12.237.88.143.32768 > 198.6.1.82.domain: 63479 [1au] A? NEEMSURFAH.OBIT.NL. OPT UDPsize=2048 (47) (DF)
01:54:43.944853 198.6.1.82.domain > 12.237.88.143.32768: 61422 FormErr-% [0q] 0/0/0 (12) (DF)
01:54:43.944853 12.237.88.143.32768 > 198.6.1.82.domain: 52590 A? NS2.NOVAXESS.NL. (33) (DF)
01:54:43.974853 198.6.1.82.domain > 12.237.88.143.32768: 63479 FormErr-% [0q] 0/0/0 (12) (DF)
01:54:43.974853 12.237.88.143.32768 > 198.6.1.82.domain: 26295 A? NEEMSURFAH.OBIT.NL. (36) (DF)
01:54:44.024853 198.6.1.82.domain > 12.237.88.143.32768: 52590- 1/3/3 A 213.201.191.18 (147) (DF)
01:54:44.034853 12.237.88.143.32768 > 213.201.191.18.domain: 54735 [1au] A? www.dsinet.org. OPT UDPsize=2048 (43) (DF)
01:54:44.054853 198.6.1.82.domain > 12.237.88.143.32768: 26295- 1/2/2 A 213.201.155.130 (125) (DF)
01:54:44.194853 213.201.191.18.domain > 12.237.88.143.32768: 54735* 1/3/4 A 213.201.155.186 (199)
01:54:48.264853 12.237.88.143.32768 > 192.41.162.30.domain: 54021 A? www.robertgraham.com. (38) (DF)
01:54:48.414853 192.41.162.30.domain > 12.237.88.143.32768: 54021- 0/2/2 (116)
01:54:48.414853 12.237.88.143.32768 > 208.185.133.167.domain: 42902 [1au] A? www.robertgraham.com. OPT UDPsize=2048 (49) (DF)
01:54:50.444853 12.237.88.143.32768 > 64.220.205.140.domain: 10657 [1au] A? www.robertgraham.com. OPT UDPsize=2048 (49) (DF)
01:54:50.554853 64.220.205.140.domain > 12.237.88.143.32768: 10657 FormErr-% 0/0/1 (49)
01:54:50.554853 12.237.88.143.32768 > 64.220.205.140.domain: 1707 A? www.robertgraham.com. (38) (DF)
01:54:50.724853 64.220.205.140.domain > 12.237.88.143.32768: 1707* 1/0/0 A 64.220.205.140 (54)
01:55:12.734853 12.237.88.143.32768 > 192.203.230.10.domain: 10218 A? www.arcert.gov.ar. (35) (DF)
01:55:12.964853 192.203.230.10.domain > 12.237.88.143.32768: 10218- 0/8/9 (377)
01:55:12.964853 12.237.88.143.32768 > 204.123.2.18.domain: 5109 A? www.arcert.gov.ar. (35) (DF)
01:55:13.314853 204.123.2.18.domain > 12.237.88.143.32768: 5109- 0/6/6 (276) (DF)
01:55:13.324853 12.237.88.143.32768 > 130.59.211.10.domain: 27938 [1au] A? www.arcert.gov.ar. OPT UDPsize=2048 (46) (DF)
01:55:13.524853 130.59.211.10.domain > 12.237.88.143.32768: 27938 0/2/3 (121) (DF)
01:55:13.524853 12.237.88.143.32768 > 168.96.172.194.domain: 13969 [1au] A? www.arcert.gov.ar. OPT UDPsize=2048 (46) (DF)
01:55:13.784853 168.96.172.194.domain > 12.237.88.143.32768: 13969* 2/2/1 CNAME[|domain] (DF)
01:55:13.794853 12.237.88.143.32768 > 168.96.172.13.domain: 63461 [1au] A? lapacho.arcert.gov.ar. OPT UDPsize=2048 (50) (DF)
01:55:14.044853 168.96.172.13.domain > 12.237.88.143.32768: 63461* 1/2/1 A[|domain] (DF)
.....
.....
Another strange thing is that tcp port 953 has been open even I do not have any pop3s or imap stuff running. I need this system to run webserver with mySQL, so port 80 and 3306 appears open, caching DNS for internal machines, so port 53 is open. DHCP server probably opens the UDP port 67, strange things appears to me are for UDP port 32678, and TCP port 953

netstat -na
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 12.237.88.143:53 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.254:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 224 192.168.1.254:22 192.168.1.21:1034 ESTABLISHED
udp 0 0 0.0.0.0:32768 0.0.0.0:*
udp 0 0 12.237.88.143:53 0.0.0.0:*
udp 0 0 192.168.1.254:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 0.0.0.0:67 0.0.0.0:*
udp 0 0 0.0.0.0:67 0.0.0.0:*
raw 0 0 0.0.0.0:1 0.0.0.0:* 7

Raz, where have you been? I have sent email to you, and I didn't receive reply, did you change your email address?
Please help unSpawn, and anyone could point some directions how to indentify this Trojan, I appreciate your help. thanks!

unSpawn · 01-12-2002, 01:51 PM

About TCP/953. This seems to be benign: it's rndc (ISC BIND v9x) more on rndc.

About UDP/32768. Excellent thinking to include a tcpdump. You notice source address 12.237.88.143 asking the DNS server 216.239.34.10 for the address of www.google.com in line 01, and getting a reply in line 02:
12.237.88.143.32768 > 216.239.34.10.domain: 32516 A? www.google.com. (32)(DF)
216.239.34.10.domain > 12.237.88.143.32768: 32516*- 1/4/4 A 216.239.33.101 (184) etc, etc.
I guess this is an unprivileged port BIND or another resolver hands off queries on it can't do itself.

*The next advice is kinda bad, because we shouldnt trust binaries on the box* but my IANA portlist returns UDP/32768 as registered by "Filenet TMS", tho Ive also seen this UDP port in use by RPC services; so, to find out whats there you could try running "lsof | grep IPv4", this should correlate the 2nd filed (PID) with the 5th field when running "socklist" after that. Look it up in "ps ax" and you should see which process is using the socket (from lsof/socklist). Running "rpcinfo" could return some info as well.
Anyway, if this where TCP/32768 it *could* have been the default port for the "HAckers Paradise" RAT. Luckily it isn't TCP.
Btw, tcpdump's "-p" flag is promiscuous mode setting, not like (p)rotocol.

Well, as for checking for trojans you know the drill... Download chkrootkit, disconnect box from 'net, run chkrootkit. If that doesn't flare up like some nuclear xmas tree, try verifying by using your rpm database.

If you have absolutely no doubt people have touched your box, set up Filesystem Integrity checking with Aide,Tripwire or Samhain, top it of with Snort (Intrusion Detection) and take some time to fix your fw.

HTH somehow

LionKing · 01-12-2002, 09:52 PM

Thanks a lot for your valuable input, unSpwan.
As you have suggested, I checked the udp/32768 traffic pattern and "lsof | grep IPv4" and socklist, I am convinced that your first guess is correct. It appears udp/32768 is open dns queries. It does look like Trajon to me any more.
Thanks again!

# lsof |grep IPv4
named 742 root 9u IPv4 1254 UDP *:32768
named 742 root 10u IPv4 1242 UDP localhost:domain
named 742 root 11u IPv4 1243 TCP localhost:domain (LISTEN)
named 742 root 12u IPv4 1244 UDP solar:domain
named 742 root 13u IPv4 1245 TCP solar:domain (LISTEN)
named 742 root 14u IPv4 1252 UDP luna.rockstone.com:domain
named 742 root 15u IPv4 1253 TCP luna.rockstone.com:domain (LISTEN)
named 742 root 16u IPv4 1255 TCP localhost:rndc (LISTEN)
named 744 root 9u IPv4 1254 UDP *:32768
named 744 root 10u IPv4 1242 UDP localhost:domain
named 744 root 11u IPv4 1243 TCP localhost:domain (LISTEN)
named 744 root 12u IPv4 1244 UDP solar:domain
named 744 root 13u IPv4 1245 TCP solar:domain (LISTEN)
named 744 root 14u IPv4 1252 UDP luna.rockstone.com:domain
named 744 root 15u IPv4 1253 TCP luna.rockstone.com:domain (LISTEN)
named 744 root 16u IPv4 1255 TCP localhost:rndc (LISTEN)
named 745 root 9u IPv4 1254 UDP *:32768
named 745 root 10u IPv4 1242 UDP localhost:domain
named 745 root 11u IPv4 1243 TCP localhost:domain (LISTEN)
named 745 root 12u IPv4 1244 UDP solar:domain
named 745 root 13u IPv4 1245 TCP solar:domain (LISTEN)
named 745 root 14u IPv4 1252 UDP luna.rockstone.com:domain
named 745 root 15u IPv4 1253 TCP luna.rockstone.com:domain (LISTEN)
named 745 root 16u IPv4 1255 TCP localhost:rndc (LISTEN)
named 746 root 9u IPv4 1254 UDP *:32768
named 746 root 10u IPv4 1242 UDP localhost:domain
named 746 root 11u IPv4 1243 TCP localhost:domain (LISTEN)
named 746 root 12u IPv4 1244 UDP solar:domain
named 746 root 13u IPv4 1245 TCP solar:domain (LISTEN)
named 746 root 14u IPv4 1252 UDP luna.rockstone.com:domain
named 746 root 15u IPv4 1253 TCP luna.rockstone.com:domain (LISTEN)
named 746 root 16u IPv4 1255 TCP localhost:rndc (LISTEN)
named 747 root 9u IPv4 1254 UDP *:32768
named 747 root 10u IPv4 1242 UDP localhost:domain
named 747 root 11u IPv4 1243 TCP localhost:domain (LISTEN)
named 747 root 12u IPv4 1244 UDP solar:domain
named 747 root 13u IPv4 1245 TCP solar:domain (LISTEN)
named 747 root 14u IPv4 1252 UDP luna.rockstone.com:domain
named 747 root 15u IPv4 1253 TCP luna.rockstone.com:domain (LISTEN)
named 747 root 16u IPv4 1255 TCP localhost:rndc (LISTEN)
named 748 root 9u IPv4 1254 UDP *:32768
named 748 root 10u IPv4 1242 UDP localhost:domain
named 748 root 11u IPv4 1243 TCP localhost:domain (LISTEN)
named 748 root 12u IPv4 1244 UDP solar:domain
named 748 root 13u IPv4 1245 TCP solar:domain (LISTEN)
named 748 root 14u IPv4 1252 UDP luna.rockstone.com:domain
named 748 root 15u IPv4 1253 TCP luna.rockstone.com:domain (LISTEN)
named 748 root 16u IPv4 1255 TCP localhost:rndc (LISTEN)
sshd 768 root 3u IPv4 1246 TCP *:ssh (LISTEN)
dhcpd 806 root 8u IPv4 1309 UDP *:bootps
dhcpd 806 root 9u IPv4 1310 UDP *:bootps
sshd 768 root 3u IPv4 1246 TCP *:ssh (LISTEN)
dhcpd 806 root 8u IPv4 1309 UDP *:bootps
dhcpd 806 root 9u IPv4 1310 UDP *:bootps
mysqld 866 root 3u IPv4 1371 TCP *:mysql (LISTEN)
mysqld 873 root 3u IPv4 1371 TCP *:mysql (LISTEN)
mysqld 874 root 3u IPv4 1371 TCP *:mysql (LISTEN)
mysqld 879 root 3u IPv4 1371 TCP *:mysql (LISTEN)
sendmail 882 root 4u IPv4 1398 TCP localhost:smtp (LISTEN)
httpd 924 root 16u IPv4 1489 TCP *:https (LISTEN)
httpd 924 root 17u IPv4 1490 TCP *:http (LISTEN)
httpd 988 root 16u IPv4 1489 TCP *:https (LISTEN)
httpd 988 root 17u IPv4 1490 TCP *:http (LISTEN)
httpd 989 root 16u IPv4 1489 TCP *:https (LISTEN)
httpd 989 root 17u IPv4 1490 TCP *:http (LISTEN)
httpd 990 root 16u IPv4 1489 TCP *:https (LISTEN)
httpd 990 root 17u IPv4 1490 TCP *:http (LISTEN)
httpd 992 root 16u IPv4 1489 TCP *:https (LISTEN)
httpd 992 root 17u IPv4 1490 TCP *:http (LISTEN)
httpd 994 root 16u IPv4 1489 TCP *:https (LISTEN)
httpd 994 root 17u IPv4 1490 TCP *:http (LISTEN)
httpd 995 root 16u IPv4 1489 TCP *:https (LISTEN)
httpd 995 root 17u IPv4 1490 TCP *:http (LISTEN)
httpd 996 root 16u IPv4 1489 TCP *:https (LISTEN)
httpd 996 root 17u IPv4 1490 TCP *:http (LISTEN)
httpd 999 root 16u IPv4 1489 TCP *:https (LISTEN)
httpd 999 root 17u IPv4 1490 TCP *:http (LISTEN)
sshd 1339 root 4u IPv4 2162 TCP solar:ssh->air1.rockstone.com:1025 (ESTABLISHED)
sshd 1533 root 4u IPv4 2540 TCP solar:ssh->air1.rockstone.com:1027 (ESTABLISHED)
sshd 1648 root 4u IPv4 4932 TCP solar:ssh->192.168.1.21:1110 (ESTABLISHED)

#socklist
type port inode uid pid fd name
tcp 3306 1371 0 879 3 mysqld
tcp 80 1490 0 999 17 httpd
tcp 53 1253 25 748 15 named
tcp 53 1245 25 748 13 named
tcp 53 1243 25 748 11 named
tcp 22 1246 0 768 3 sshd
tcp 25 1398 0 882 4 sendmail
tcp 953 1255 25 748 16 named
tcp 443 1489 0 999 16 httpd
tcp 22 4932 0 1648 4 sshd
tcp 22 2540 0 1533 4 sshd
tcp 22 2162 0 1339 4 sshd
udp 32768 1254 25 748 9 named
udp 53 1252 25 748 14 named
udp 53 1244 25 748 12 named
udp 53 1242 25 748 10 named
udp 67 1310 0 806 9 dhcpd
udp 67 1309 0 806 8 dhcpd
raw 1 1311 0 806 7 dhcpd