[PLUG] A little worm sniffing

Elliott Mitchell ehem at m5p.com
Sat Jun 21 23:37:02 UTC 2003 

> From: srau at rauhaus.org (Stafford A. Rau)
> Apologies in advance for the upcoming profanity, but it is all said in
> context.

Please note this effects this message too.











Okay on with it...

> I ran AntiVir, which is a free anti-virus program (and if you folks have
> suggestions for any other free ones, I'd be grateful), and found
> nothing. However, while I was running it, I ran tcpdump on the firewall
> to listen to any traffic from that peecee just in case.
> 
> I quickly saw that it was regularly trying to do dns queries for
> "fucktard.no-ip.org".
> 
> The domain no-ip.org is registered to Vitalwerks LLC, which looks to be
> your basic web services consulting place. DNS queries for the A record
> fucktard.no-ip.org return 255.255.255.255.


> So obviously some bit of malware on the Win98 machine at 172.16.1.2 is
> looking for an IRC server with whom to talk. The next thing I'll try is
> setting up an IRC server on 172.16.1.1 and see what we have.
> 
> I didn't find anything Googling for fucktard.no-ip.org, both at www and
> groups.google.com, so it will be interesting to see how this plays out.
> 
> Ok, now that I take a little closer look, no-ip.org is a free DNS
> redirection service. I'll have to let them know they're hosting a
> baddie.

I'd say you're correct, some form of malware that is using that trying to
use IRC to that system as the control method.

I'd say there is no need to notify no-ip.org though. Notice the IP
address they're returning? 255.255.255.255 is the global broadcast IP
address. Since if honored such packets would spam the entire Internet
with copies of the packet most routers will drop packets to that address
and many will log such packets. They're probably returning
255.255.255.255 because such packets tend to get noticed and serve as a
distress beacon. Definitly time to clean up that system, I'd worry about
all your other systems possibly being breached too.

Google might of been useless because they do some filtering for bad
words. You need to have cookies enabled, go to their main page and select
"preferences". Disable "safesearch" and then try the search again.


-- 
(\___(\___(\______          --=> 8-) EHM <=--          ______/)___/)___/)
 \   (    |         EHeM at gremlin.m5p.com PGP 8881EF59         |    )   /
  \_  \   |  _____  -O #include <stddisclaimer.h> O-   _____  |   /  _/
    \___\_|_/82 04 A1 3C C7 B1 37 2A*E3 6E 84 DA 97 4C 40 E6\_|_/___/

More information about the PLUG mailing list