[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87sjmb3h6p.fsf@wylie.me.uk>
Date: Sat, 29 Oct 2011 17:18:06 +0100
From: "Alan J. Wylie" <shyyqvfpybfher@...ie.me.uk>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: bind-9.8.1 remote code exec exploit?
nix@...roxylists.com writes:
> I've been investigating weird iptables messages as follows:
>
> Oct 29 14:53:13 NIX kernel: IN= OUT=eth0 SRC=MY_SERVER_IP DST=62.80.128.29
> LEN=114 TOS=0x00 PREC=0x00 TTL=64 ID=31795 PROTO=UDP SPT=53 DPT=5060
> LEN=94
>
> I received a message from my ISP abuse that my server is scanning SIP port
> 5060 and I set the firewall rule to deny/log all UDP connections out of
> the box to port 5060 to get timestamps for further investigation. This
> happened before I set the firewall rule.
>
> /var/log/named.log
>
> 05-Oct-2011 06:05:58.093 client: warning: client 81.25.53.2#5060: error sending response: host unreachable
> 07-Oct-2011 13:14:38.739 client: warning: client 221.210.153.6#5060: error sending response: host unreachable
> 08-Oct-2011 00:43:22.881 client: warning: client 212.59.18.8#5060: error sending response: host unreachable
> 08-Oct-2011 13:42:58.943 client: warning: client 202.43.160.50#5060: error sending response: host unreachable
> 12-Oct-2011 10:26:20.586 client: warning: client 213.77.43.115#5060: error sending response: host unreachable
> 14-Oct-2011 15:42:12.676 client: warning: client 193.210.19.19#5060: error sending response: host unreachable
> 15-Oct-2011 16:26:16.573 client: warning: client 202.44.204.36#5060: error sending response: host unreachable
> 16-Oct-2011 20:52:44.570 client: warning: client 200.63.56.5#5060: error sending response: host unreachable
> 17-Oct-2011 01:48:49.617 client: warning: client 84.22.23.4#5060: error sending response: host unreachable
> 23-Oct-2011 12:34:26.255 client: warning: client 208.69.35.15#5060: error sending response: host unreachable
> 25-Oct-2011 01:50:17.382 client: warning: client 84.88.226.10#5060: error sending response: host unreachable
> 25-Oct-2011 15:23:51.384 client: warning: client 195.222.32.20#5060: error sending response: host unreachable
> 29-Oct-2011 14:53:13.208 client: warning: client 62.80.128.29#5060: error sending response: host unreachable
Don't you think that it's a bit of a coincidence that most of those IP
address resolve to a host with "ns" (Name Server) as part of their
hostname?
$ for x in 193.210.19.19 195.222.32.20 200.63.56.5 202.43.160.50 \
202.44.204.36 208.69.35.15 212.59.18.8 213.77.43.115 221.210.153.6 \
62.80.128.29 81.25.53.2 84.22.23.4 84.88.226.10;
do
echo -n "$x: ";
dig +short -x $x;
done
193.210.19.19: ns6.inet.fi.
195.222.32.20: ns2.bih.net.ba.
200.63.56.5: ;; connection timed out; no servers could be reached
202.43.160.50: ns1.dtp.net.id.
202.44.204.36: nscache1.nectec.or.th.
208.69.35.15: m5.ams.opendns.com.
212.59.18.8: ns.ektra.lt.
213.77.43.115: 221.210.153.6: 62.80.128.29: ns2.multi.fi.
81.25.53.2: localns.ultra.net.ru.
84.22.23.4: 84.88.226.10: dns1.blanquerna.url.edu.
I note that the IP your e-mail was sent from is 88.195.165.231, ISP
inet.fi and that one of the above hosts is ns6.inet.fi
There's a nameserver is running on that IP, but is not offering
recursion (good).
------8<------8<------8<------8<------8<------8<------8<------8<
$ dig -t any @88.195.165.231 www.google.com
; <<>> DiG 9.7.3 <<>> -t any @88.195.165.231 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 683
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.google.com. IN ANY
------8<------8<------8<------8<------8<------8<------8<------8<
If you are blocking port 5060, then it is no surprise that DNS lookups
are failing.
"error sending response" looks like a TCP connection error - DNS usually
uses UDP. I suspect that those IP addresses are doing DNS lookups,
randomly[1] selecting 5060 as their source port, finding no response,
and retrying on TCP.
[1] random is good - RFC6056, http://cr.yp.to/djbdns/forgery.html
Everything is looking good on that server with source port 5060 from
here at the moment. Was your ISP previously blocking port 5060, but is
no longer doing so?
------8<------8<------8<------8<------8<------8<------8<------8<
$ dig -b 82.68.155.94#5060 @88.195.165.231 www.google.com
; <<>> DiG 9.7.3 <<>> -b 82.68.155.94#5060 @88.195.165.231 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 56850
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.google.com. IN A
$ tcpdump port 53 -i ppp0
17:05:09.897796 IP wylie.me.uk.5060 > dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain: 56850+ A? www.google.com. (32)
17:05:09.965868 IP dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain > wylie.me.uk.5060: 56850 Refused- 0/0/0 (32)
------8<------8<------8<------8<------8<------8<------8<------8<
$ dig -b 82.68.155.94#5060 +tcp @88.195.165.231 www.google.com
; <<>> DiG 9.7.3 <<>> -b 82.68.155.94#5060 +tcp @88.195.165.231 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 46624
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.google.com. IN A
$ tcpdump port 53 -i ppp0
17:05:15.286709 IP wylie.me.uk.5060 > dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain: S 3256494479:3256494479(0) win 14520 <mss 1452,sackOK,timestamp 85574910 0,nop,wscale 4>
17:05:15.353918 IP dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain > wylie.me.uk.5060: S 2117895477:2117895477(0) ack 3256494480 win 5840 <mss 1460>
17:05:15.353996 IP wylie.me.uk.5060 > dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain: . ack 1 win 14520
17:05:15.354280 IP wylie.me.uk.5060 > dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain: P 1:35(34) ack 1 win 1452046624+ A? www.google.com. (32)
17:05:15.422648 IP dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain > wylie.me.uk.5060: . ack 35 win 5840
17:05:15.423125 IP dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain > wylie.me.uk.5060: P 1:35(34) ack 35 win 584046624 Refused- 0/0/0 (32)
17:05:15.423149 IP wylie.me.uk.5060 > dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain: . ack 35 win 14520
17:05:15.426007 IP wylie.me.uk.5060 > dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain: F 35:35(0) ack 35 win 14520
17:05:15.493606 IP dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain > wylie.me.uk.5060: F 35:35(0) ack 36 win 5840
17:05:15.493685 IP wylie.me.uk.5060 > dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain: . ack 36 win 14520
------8<------8<------8<------8<------8<------8<------8<------8<
--
Alan J. Wylie http://www.wylie.me.uk/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists