Malicious Activity, Packet Capture file attached

shahmeer75 · 05-19-2010, 12:34 PM

Please find the attached Packet Capture file,what has happened to the host addressed 192.168.1.101.How it will impact network on the findings and is there any possible remediation strategies?

Any replies will be appreciated. Thank you in advance.

PS: Please rename the file to packet_capture.zip and extract the pcap file.

unSpawn · 05-20-2010, 04:38 PM

Quote:

Originally Posted by shahmeer75

what has happened to the host addressed 192.168.1.101.

* Note the pcap shows about 80 percent TCP. The rest mostly is ARP so you may want to adjust your BPF filtering so you log only what you're interested in.

0. Run the capture through Snort in pcap-reading mode and you'll find these SIDs:

Code:

1:1418:13 SNMP request tcp 
1:1420:13 SNMP trap tcp 
1:1421:13 SNMP AgentX/tcp request 
1:402:8 ICMP Destination Unreachable Port Unreachable 
1:491:8 INFO FTP Bad login <- interesting
1:648:9 SHELLCODE x86 NOOP <- interesting

1. The SHELLCODE x86 NOOP SID occurred once, from an IP in the 3215 AS. Follow the conversation in Wireshark and you'll see the remote IP connected successfully over SMB to the system's default share (as anonymous user).

2. FTP Bad login SID occurred 5 times, FTP traffic occurred with one IP in the 3462 9680 AS and one IP in the 15024 AS. The remote host from the 3462 9680 AS was able to log in as user administrator (the account was enabled and had a very simple password) and used the FTP scanner by Inode (search for "RMD sarcaxxo").

Quote:

Originally Posted by shahmeer75

How it will impact network on the findings and is there any possible remediation strategies?

As the host does not run GNU/Linux or UNIX it is not in this forums task (see /General) to provide security advice for that platform. Needless to say the machine should be taken off-line for further investigation and the person or persons "managing" the machine flogged, demoted and fired for incompetence and negligence :-]

shahmeer75 · 05-22-2010, 03:43 PM

Thanks for your reply. I can see the points mentioned. What about the host addressed 192.168.1.101? Is there anything happened with that? I really appreciate your response. Thank you again

Quote:

Originally Posted by unSpawn

* Note the pcap shows about 80 percent TCP. The rest mostly is ARP so you may want to adjust your BPF filtering so you log only what you're interested in.

0. Run the capture through Snort in pcap-reading mode and you'll find these SIDs:

Code:

1:1418:13 SNMP request tcp 
1:1420:13 SNMP trap tcp 
1:1421:13 SNMP AgentX/tcp request 
1:402:8 ICMP Destination Unreachable Port Unreachable 
1:491:8 INFO FTP Bad login <- interesting
1:648:9 SHELLCODE x86 NOOP <- interesting

1. The SHELLCODE x86 NOOP SID occurred once, from an IP in the 3215 AS. Follow the conversation in Wireshark and you'll see the remote IP connected successfully over SMB to the system's default share (as anonymous user).

2. FTP Bad login SID occurred 5 times, FTP traffic occurred with one IP in the 3462 9680 AS and one IP in the 15024 AS. The remote host from the 3462 9680 AS was able to log in as user administrator (the account was enabled and had a very simple password) and used the FTP scanner by Inode (search for "RMD sarcaxxo").

As the host does not run GNU/Linux or UNIX it is not in this forums task (see /General) to provide security advice for that platform. Needless to say the machine should be taken off-line for further investigation and the person or persons "managing" the machine flogged, demoted and fired for incompetence and negligence :-]

unSpawn · 05-22-2010, 06:07 PM

Quote:

Originally Posted by shahmeer75

What about the host addressed 192.168.1.101? Is there anything happened with that?

The machine should be taken off-line for further investigation. If you want more information than that you should provide more information first.

OlRoy · 05-24-2010, 09:25 AM

Those specific questions with a very specific pcap file sounds like a homework assignment to me.

unixfool · 05-25-2010, 09:08 AM

Quote:

Originally Posted by OlRoy

Those specific questions with a very specific pcap file sounds like a homework assignment to me.

hahaha...you're probably right! I've never seen someone submit a pcap on the LQ forums (or maybe I missed those, but those types of attachments certainly aren't prominent).

win32sux · 05-26-2010, 04:25 PM

Given that shahmeer75 has chosen to delete the original post's contents, I'm closing this thread. shahmeer75, you're new around here so I'll let you go with only a warning: Understand that LQ is about sharing knowledge, and by deleting your post's contents you've engaged in behavior which isn't in the spirit of LQ. Please don't do this sort of thing again.