Overblog
Editer l'article Suivre ce blog Administration + Créer mon blog
11 mars 2010 4 11 /03 /mars /2010 22:46
I was not even really monitoring the LAN when I noticed strange requests... 

Why strange? because of the following:
- Netbios over TCP protocol whereas the proxy should handle that kindda name resolution (part of web requests)
- broadcast name query, spreading on the LAN waiting for WINS reply, while this should not be that way
- unknown domain name on the LAN & AD...  not even a workgroup.
 
But what drew my attention is that neither
DNS nor WINS were able to resolve it.

What is this domain name?  teamscrew.com. Never heard about it.

First, let's say that IronPort URL filtering engine categorizes as pornography. Okay...

Then, I decide to try using other DNS. Well, it's getting more and more strange :

- according to SFR (french ISP) DNS:
C:\>nslookup
Default Server :   box
Address:  192.168.1.1

> teamscrew.com
Server :   box
Address:  192.168.1.1

*** neufbox ne parvient pas à trouver teamscrew.com : Server failed

- according to OpenDNS:
> server 208.67.222.222
Serveur par defaut :   resolver1.opendns.com
Address:  208.67.222.222

> teamscrew.com
Serveur :   resolver1.opendns.com
Address:  208.67.222.222

Réponse ne faisant pas autorité :
Nom :    teamscrew.com
Address:  67.215.66.132


Well that's a difference! Guess why I prefer to use (and strongly recommend) the DNS provided by the OpenDNS Project!

Anyway... impossible to access the website.

So now, I'm gonna try other DNS and domain information gathering services. One of my favorites is domaincrawler.com.
Here is the result of my request:
http://www.domaincrawler.com/domains/view/teamscrew.com

Thus now, teamscrew.com is supposed to resolve to: 208.97.178.13 


There must be a tricky part somewhere. Let's check using the authoritative NS that DomainCrawler found:

> server ns1.dreamhost.com
Serveur par defaut :   ns1.dreamhost.com
Address:  66.33.206.206

> teamscrew.com
Serveur :   ns1.dreamhost.com
Address:  66.33.206.206

teamscrew.com   MX preference = 0, mail exchanger = mx1.balanced.postal.mail.dreamhost.com
teamscrew.com   nameserver = ns3.dreamhost.com
teamscrew.com   nameserver = ns2.dreamhost.com
teamscrew.com   internet address = 66.33.212.15
teamscrew.com   nameserver = ns1.dreamhost.com
teamscrew.com   MX preference = 0, mail exchanger = mx2.balanced.postal.mail.dreamhost.com
teamscrew.com
        primary name server = ns1.dreamhost.com
        responsible mail addr = hostmaster.dreamhost.com
        serial  = 2009110801
        refresh = 16033 (4 hours 27 mins 13 secs)
        retry   = 1800 (30 mins)
        expire  = 1814400 (21 days)
        default TTL = 14400 (4 hours)
mx1.balanced.postal.mail.dreamhost.com  internet address = 208.97.132.51
ns3.dreamhost.com       internet address = 66.33.216.216
ns1.dreamhost.com       internet address = 66.33.206.206
mx2.balanced.postal.mail.dreamhost.com  internet address = 208.97.132.52
ns2.dreamhost.com       internet address = 208.96.10.221


Okay, looks more or less consistent.

After that, let's try to know what's running of this server...  I think about an IRC service, to control Bots, or a download / update service for compromised hosts.

I first try using the IP address DomainCrawler gave me: 

C:\>nmap -O --osscan-guess 208.97.178.13

Starting Nmap 5.00 ( http://nmap.org ) at 2010-03-11 23:16 Paris, Madrid
Interesting ports on apache2-noxim.fuze.dreamhost.com (208.97.178.13):
Not shown: 990 filtered ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
113/tcp  open  auth
548/tcp  open  afp
587/tcp  open  submission
5222/tcp open  unknown
5269/tcp open  unknown
5666/tcp open  nrpe
Warning: OSScan results may be unreliable because we could not find at least 1 o
pen and 1 closed port
Device type: general purpose|WAP|router
Running (JUST GUESSING) : Linux 2.6.X|2.4.X (97%), D-Link embedded (87%), Linksy
s embedded (87%), Peplink embedded (87%)
Aggressive OS guesses: Linux 2.6.22 (97%), Linux 2.6.15 - 2.6.26 (94%), Linux 2.
6.22 (Ubuntu, x86) (92%), Linux 2.6.27 (Ubuntu 8.10) (92%), Linux 2.6.23 (92%),
Linux 2.6.13 - 2.6.27 (89%), Linux 2.4.20 (Red Hat 7.2) (88%), Linux 2.6.17 - 2.
6.28 (88%), Linux 2.6.22 - 2.6.23 (88%), Linux 2.6.24 - 2.6.28 (88%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at http://nmap.org/s
ubmit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.90 seconds


What? looks like an
ADSL box? 

 But this is not the last surprise. If I do the same using the other IP address I got for DNS resolution, here is the result:
 
C:\>nmap -O --osscan-guess 66.33.212.15

Starting Nmap 5.00 ( http://nmap.org ) at 2010-03-11 23:42 Paris, Madrid
Interesting ports on ps7371.dreamhost.com (66.33.212.15):
Not shown: 991 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
111/tcp  open  rpcbind
113/tcp  open  auth
587/tcp  open  submission
1030/tcp open  iad1
5666/tcp open  nrpe
Device type: WAP|router|general purpose|storage-misc
Running (JUST GUESSING) : Linksys Linux 2.4.X (97%), Linux 2.4.X|2.6.X (97%), Mi
kroTik RouterOS 3.X (94%), Belkin embedded (93%), ZyXEL embedded (91%), D-Link e
mbedded (90%), Enterasys embedded (90%)
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (97%), OpenWrt 0
.9 - 7.09 (Linux 2.4.30 - 2.4.34) (97%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (9
7%), MikroTik RouterOS 3.0beta5 (94%), Linux 2.6.21 (94%), Linux 2.6.18 - 2.6.27
 (93%), Linux 2.4.21 - 2.4.31 (likely embedded) (93%), Linux 2.6.15 - 2.6.23 (em
bedded) (93%), Linux 2.6.15 - 2.6.24 (93%), Linux 2.6.15 - 2.6.26 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 16 hops

OS detection performed. Please report any incorrect results at http://nmap.org/s
ubmit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.91 seconds 

 Surprisingly, the scan results look similar!

Untill I have proof of the contrary, I therefore belive this is a malicious architecture, where boxes have been compromised and used to handle requests sent from compromised computers... 
There is also a quite obvious DNS synchronization issue in here. Still, OpenDNS remains the safest service to query.

If anybody has got further details about that domain and IP addresses, feel free to post a comment or send me an email. 

Partager cet article

Repost0

commentaires