Tuesday, February 10, 2004

Using Session Data to Look for Worm Activity

Currently a slew of worms are scanning port 3127 TCP, looking for systems infected by MyDoom.A. They include MyDoom.B, Doomjuice, and Vesser.

I collect session data using a variety of means, including Argus. I have the Argus daemon write what it sees into a directory. The elaborate date in the file name is a result of calling the date command like so:

DATE=`/bin/date "+%Y%m%d-%H%M%S"`

When the process is running, it looks like this:

/usr/local/src/argus-2.0.6/bin/argus_bpf -c -d -i ngeth0 -w
/nsm/argus/20040206-085201.bourque.taosecurity.com.ngeth0.arg - ip

This process stores Argus data in the /nsm/argus directory. To quickly search the directory, I use the following at the command line:

-bash-2.05b$ for i in `ls`; do ra -n -r $i - dst port 3127 |
grep -v stream >> /tmp/3127.ra; done

This yields results like the following:

28 Jan 04 16:47:32 tcp 80.181.182.157.2391 -> myIP.3127 RST
28 Jan 04 16:47:33 tcp 80.181.182.157.2391 -> myIP.3127 RST
28 Jan 04 16:47:34 tcp 80.181.182.157.2391 -> myIP.3127 RST
03 Feb 04 00:31:04 tcp 63.208.193.241.3127 -> myIP.3127 RST
03 Feb 04 17:32:55 tcp 24.168.219.7.3127 -> myIP.3127 RST
03 Feb 04 21:42:12 tcp 212.58.12.98.3723 -> myIP.3127 RST
03 Feb 04 21:42:13 tcp 212.58.12.98.3723 -> myIP.3127 RST
03 Feb 04 21:42:14 tcp 212.58.12.98.3723 -> myIP.3127 RST
04 Feb 04 03:55:59 tcp 129.1.61.23.3228 -> myIP.3127 RST
04 Feb 04 03:55:59 tcp 129.1.61.23.3228 -> myIP.3127 RST
...continues until today...

The RST means the connection attempt ended with a RST. From my small vantage point on the Internet, scanning for port 3127 TCP appeared 28 Jan 04, and my system did not respond.

This sort of analysis is part of Network Security Monitoring. This is how you verify your machine is not compromised with a minimum amount of effort.