11 mars 2010
4
11
/03
/mars
/2010
22:46
I was not even really monitoring the LAN when I noticed strange requests...
Why strange? because of the following:
- Netbios over TCP protocol whereas the proxy should handle that kindda name resolution (part of web requests)
- broadcast name query, spreading on the LAN waiting for WINS reply, while this should not be that way
- unknown domain name on the LAN & AD... not even a workgroup.
But what drew my attention is that neither DNS nor WINS were able to resolve it.
What is this domain name? teamscrew.com. Never heard about it.
First, let's say that IronPort URL filtering engine categorizes as pornography. Okay...
Then, I decide to try using other DNS. Well, it's getting more and more strange :
- according to SFR (french ISP) DNS:
- according to OpenDNS:
Well that's a difference! Guess why I prefer to use (and strongly recommend) the DNS provided by the OpenDNS Project!
Anyway... impossible to access the website.
So now, I'm gonna try other DNS and domain information gathering services. One of my favorites is domaincrawler.com.
Here is the result of my request:
http://www.domaincrawler.com/domains/view/teamscrew.com
Thus now, teamscrew.com is supposed to resolve to: 208.97.178.13
There must be a tricky part somewhere. Let's check using the authoritative NS that DomainCrawler found:
Okay, looks more or less consistent.
After that, let's try to know what's running of this server... I think about an IRC service, to control Bots, or a download / update service for compromised hosts.
I first try using the IP address DomainCrawler gave me:
Surprisingly, the scan results look similar!
Untill I have proof of the contrary, I therefore belive this is a malicious architecture, where boxes have been compromised and used to handle requests sent from compromised computers...
There is also a quite obvious DNS synchronization issue in here. Still, OpenDNS remains the safest service to query.
If anybody has got further details about that domain and IP addresses, feel free to post a comment or send me an email.
Why strange? because of the following:
- Netbios over TCP protocol whereas the proxy should handle that kindda name resolution (part of web requests)
- broadcast name query, spreading on the LAN waiting for WINS reply, while this should not be that way
- unknown domain name on the LAN & AD... not even a workgroup.
But what drew my attention is that neither DNS nor WINS were able to resolve it.
What is this domain name? teamscrew.com. Never heard about it.
First, let's say that IronPort URL filtering engine categorizes as pornography. Okay...
Then, I decide to try using other DNS. Well, it's getting more and more strange :
- according to SFR (french ISP) DNS:
C:\>nslookup
Default Server : box
Address: 192.168.1.1
> teamscrew.com
Server : box
Address: 192.168.1.1
*** neufbox ne parvient pas à trouver teamscrew.com : Server failed
- according to OpenDNS:
> server 208.67.222.222
Serveur par defaut : resolver1.opendns.com
Address: 208.67.222.222
> teamscrew.com
Serveur : resolver1.opendns.com
Address: 208.67.222.222
Réponse ne faisant pas autorité :
Nom : teamscrew.com
Address: 67.215.66.132
Well that's a difference! Guess why I prefer to use (and strongly recommend) the DNS provided by the OpenDNS Project!
Anyway... impossible to access the website.
So now, I'm gonna try other DNS and domain information gathering services. One of my favorites is domaincrawler.com.
Here is the result of my request:
http://www.domaincrawler.com/domains/view/teamscrew.com
Thus now, teamscrew.com is supposed to resolve to: 208.97.178.13
There must be a tricky part somewhere. Let's check using the authoritative NS that DomainCrawler found:
> server ns1.dreamhost.com
Serveur par defaut : ns1.dreamhost.com
Address: 66.33.206.206 > teamscrew.com
Serveur : ns1.dreamhost.com
Address: 66.33.206.206
teamscrew.com MX preference = 0, mail exchanger = mx1.balanced.postal.mail.dreamhost.com
teamscrew.com nameserver = ns3.dreamhost.com
teamscrew.com nameserver = ns2.dreamhost.com
teamscrew.com internet address = 66.33.212.15
teamscrew.com nameserver = ns1.dreamhost.com
teamscrew.com MX preference = 0, mail exchanger = mx2.balanced.postal.mail.dreamhost.com
teamscrew.com MX preference = 0, mail exchanger = mx2.balanced.postal.mail.dreamhost.com
teamscrew.com
primary name server = ns1.dreamhost.com
responsible mail addr = hostmaster.dreamhost.com
serial = 2009110801
refresh = 16033 (4 hours 27 mins 13 secs)
retry = 1800 (30 mins)
expire = 1814400 (21 days)
default TTL = 14400 (4 hours)
mx1.balanced.postal.mail.dreamhost.com internet address = 208.97.132.51
ns3.dreamhost.com internet address = 66.33.216.216
ns1.dreamhost.com internet address = 66.33.206.206
mx2.balanced.postal.mail.dreamhost.com internet address = 208.97.132.52
ns2.dreamhost.com internet address = 208.96.10.221
Okay, looks more or less consistent.
After that, let's try to know what's running of this server... I think about an IRC service, to control Bots, or a download / update service for compromised hosts.
I first try using the IP address DomainCrawler gave me:
C:\>nmap -O --osscan-guess 208.97.178.13
Starting Nmap 5.00 ( http://nmap.org ) at 2010-03-11 23:16 Paris, Madrid
Interesting ports on apache2-noxim.fuze.dreamhost.com (208.97.178.13):
Not shown: 990 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
113/tcp open auth
548/tcp open afp
587/tcp open submission
5222/tcp open unknown
5269/tcp open unknown
5666/tcp open nrpe
Warning: OSScan results may be unreliable because we could not find at least 1 o
pen and 1 closed port
Device type: general purpose|WAP|router
Running (JUST GUESSING) : Linux 2.6.X|2.4.X (97%), D-Link embedded (87%), Linksy
s embedded (87%), Peplink embedded (87%)
Aggressive OS guesses: Linux 2.6.22 (97%), Linux 2.6.15 - 2.6.26 (94%), Linux 2.
6.22 (Ubuntu, x86) (92%), Linux 2.6.27 (Ubuntu 8.10) (92%), Linux 2.6.23 (92%),
Linux 2.6.13 - 2.6.27 (89%), Linux 2.4.20 (Red Hat 7.2) (88%), Linux 2.6.17 - 2.
6.28 (88%), Linux 2.6.22 - 2.6.23 (88%), Linux 2.6.24 - 2.6.28 (88%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at http://nmap.org/s
ubmit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.90 seconds
What? looks like an ADSL box?
But this is not the last surprise. If I do the same using the other IP address I got for DNS resolution, here is the result:
What? looks like an ADSL box?
But this is not the last surprise. If I do the same using the other IP address I got for DNS resolution, here is the result:
C:\>nmap -O --osscan-guess 66.33.212.15
Starting Nmap 5.00 ( http://nmap.org ) at 2010-03-11 23:42 Paris, Madrid
Interesting ports on ps7371.dreamhost.com (66.33.212.15):
Not shown: 991 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
113/tcp open auth
587/tcp open submission
1030/tcp open iad1
5666/tcp open nrpe
Device type: WAP|router|general purpose|storage-misc
Running (JUST GUESSING) : Linksys Linux 2.4.X (97%), Linux 2.4.X|2.6.X (97%), Mi
kroTik RouterOS 3.X (94%), Belkin embedded (93%), ZyXEL embedded (91%), D-Link e
mbedded (90%), Enterasys embedded (90%)
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (97%), OpenWrt 0
.9 - 7.09 (Linux 2.4.30 - 2.4.34) (97%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (9
7%), MikroTik RouterOS 3.0beta5 (94%), Linux 2.6.21 (94%), Linux 2.6.18 - 2.6.27
(93%), Linux 2.4.21 - 2.4.31 (likely embedded) (93%), Linux 2.6.15 - 2.6.23 (em
bedded) (93%), Linux 2.6.15 - 2.6.24 (93%), Linux 2.6.15 - 2.6.26 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 16 hops
OS detection performed. Please report any incorrect results at http://nmap.org/s
ubmit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.91 seconds Surprisingly, the scan results look similar!
Untill I have proof of the contrary, I therefore belive this is a malicious architecture, where boxes have been compromised and used to handle requests sent from compromised computers...
There is also a quite obvious DNS synchronization issue in here. Still, OpenDNS remains the safest service to query.
If anybody has got further details about that domain and IP addresses, feel free to post a comment or send me an email.