|
We got an email from one of our readers, including an interesting port 53 packet. While Wireshark and TCPDump try to decode it as DNS, it is almost certainly not DNS. The payload of the packet is (I obfuscated the country the user is located in): oracle:1c6F65E41DFC:www.kmplayer.com:192.168.1.2:[country of system]:SYSTEM:Windows XP:V139 The user does not have KMPlayer or Oracle installed in his network. This looks very much like some form of command and control traffic. At this point, we do not have any malware associated with it. Here is how tcpdump decoded the packets (again, anonymized):
The source was an RFC 1918 address in this case, and the target was close to the user's IP address, which is why both are anonymized here. I also removed the non printable part of the payload to make it fit the screen. I installed KMPlayer on a virtual system and didn't see any traffic like this. ------ |
Johannes 4350 Posts ISC Handler Apr 30th 2014 |
| Thread locked Subscribe |
Apr 30th 2014 7 years ago |
|
We are having odd DNS issues - cannot reach some web sites: salesforce.com and travelocity.com are failing to resolve, and we are getting paged about some of our own domain's external DNS not resolving. Both we are Salesforce are hosted at UltraDNS.
Other users seeing similar issues: http://www.isitdownrightnow.com/salesforce.com.html#commentstop |
Anonymous |
| Quote |
Apr 30th 2014 7 years ago |
|
After capturing just a couple of minutes, there are several packets to a number of IPs with content similar to those in the original post:
a.b.c.d.51892 > x.y.z.nnn.53: 18245 updateD [b2&3=0x5420] [18516a] [12064q] [21584n] [12081au][|domain] E..9.1....R..MO".p.....5.%..GET / HTTP/1.1 Host: www ---- JS |
JanS 10 Posts |
| Quote |
May 3rd 2014 7 years ago |
|
That's interesting JS. It looks different from what Dr J had posted. HTTP on port 53 fits into the "suspicious" category. Would you be willing to send in a pcap to us via the contact form?
-KL |
Kevin Liston 292 Posts ISC Handler |
| Quote |
May 4th 2014 7 years ago |
|
Has More of this traffic been seen?
I am seeing traffic similar to JS Example: a.b.c.d.39592 > x.y.z.nnn.domain: [no cksum] 18245 updateD [b2&3=0x5420] [18516a] [12064q] [21584n] [12081au][|domain] (ttl 243, id 54321, len 57) 0000: 4500 0039 d431 0000 f311 0350 daf1 62c6 E..9.1.....P..b. 0010: 3f87 72f3 9aa8 0035 0025 0000 4745 5420 ?.r....5.%..GET 0020: 2f20 4854 5450 2f31 2e31 0d0a 486f 7374 / HTTP/1.1..Host 0030: 3a20 7777 770d 0a0d 0a : www.... ---- MB |
MB 2 Posts |
| Quote |
Jun 18th 2014 7 years ago |
|
do you have more then one packet of this traffic? I can think of two explanations: Tunneling HTTP over DNS, in which case we should see the full request in subsequent packets, or it is a broken tool that does a DNS lookup on the header vs. just the host name.
|
Johannes 4350 Posts ISC Handler |
| Quote |
Jun 18th 2014 7 years ago |
|
I have multiple packets but never more then that one to a single host.
Multiple hosts are receiving this traffic. -- MB |
MB 2 Posts |
| Quote |
Jun 18th 2014 7 years ago |
|
This traffic is almost certainly from someone using a tool built on Python's scapy module.
Note the updateM+ string in the destination source -------------------- from scapy.all import * a = IP(src="1.1.1.1",dst="2.2.2.2") u = UDP(dport=514) pay = "anything goes here is gets mangled" packet = a/u/pay packet.display() send(packet) destination -------------------- [user@2.2.2.2 ~]$ sud/usr/sbin/tcpdump port 514 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 17:27:25.437689 IP 1.1.1.1.domain > 2.2.2.2.syslog: 16757 updateM+ [b2&3=0x6720] [12592a] [12576q] [14896n] [12346au][|domain] |
MB 1 Posts |
| Quote |
Sep 24th 2015 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
