Under attack?

[jlreich]

Wanted to get your thoughts on this. Might be a bit long winded...

This started a few days ago when my oldest daughter called me when she went into "my network places" and couldn't see any of the other computers on the network. But, there is an icon for "shared" on "Richard". I don't have a computer named Richard in my house. I told her if she was right it sounded like our network was compromised and to turn off the cable modem and wireless router. Furthermore she told me that the Richard folder had been there for a long time and she just assumed I had added another computer to the network. As best as she can remember it has been there since early summer.

Keep in mind it was not very long ago I busted my oldest having Limewire on her laptop. I removed viruses from her laptop and her desktop (the one with "Richard").

When I got home to check it out I thought it might just be one of the computers I had worked on that had gotten stuck in my network places and really wasn't there. I clicked on Richard and a login box appeared.

Ran tracert on Richard and came up with an IP address. Went to my firewall (ipcop) and blocked that IP. Looked in the firewall logs and am now getting entries blocking a "forward" to that IP from every system that is on the network at that time except my company laptop.

As you can see below it is very persistent on trying to get out. At first it was just trying on port 41, wait awhile and try again, but after some time of not being to get out it tried some of the other routes you now see below.



Just so you know I shut down Vista which I normally run on my system that I am on now and am currently booted into XP which is not sending out anything to that IP. I haven't run XP for some time so it appears that it is not infected. I also turned off simple file sharing and removed permissions from the Everyone account. Also bank account PW's have been changed and accounts are being monitored closely for any odd activity. I check my accounts several times a day anyway and have never seen anything odd.

Part 2: Normal DNS activity, or under attack?

As I am looking through my firewall logs I notice some entries as "input" so I checked several of the IP's and one is from China, one from Canada, domestic, UK, and various other places. They all have the same MAC address listed. See below for example. Blocked out portion is my external IP. I blocked the MAC and could no longer reach any web pages. Unblocked it and was back on the net. In some earlier logs there was the protocal (BootPS) and (BootPC). I looked this up and it seems this has to do with normal DNS activity. But as I was looking at the entries you see in the picture I really don't think 22(SSH) is normal DNS activity.

The MAC is not any of my machines including the modem, nor any of the three NIC's on the firewall, nor the wireless router.



Once I got one coming in from Africa using 23(telnet).

If needed I am prepared to wipe every system in the house and start clean. Hopefully I can just restore backups that are not infected if I can isolate a time frame of when this happened. Particularly since it means five systems.

In case it matters -

Cable modem > IPCOP Firewall machine also doing DHCP (up to date and running snort and the addon Banish) > Switch > wired comps and wireless router with DHCP turned off.

If more info is needed just say so. I can also provide IDS logs from the firewall.

Thoughts?

[mjc]

I wouldn't say 'attack'...I'd say more like 'pwned'.

At this point, I'd say trying to untangle all the mess is going to be more of a headache than even starting fresh, from scratch would be.

[PrntRhd]

I agree, the 61.184.136.12 address is Bejing China, 125.65.112.217 and 202.97.238.231 is also China the 222.82.249.235 one is China also.
I would suspect RBN type activity at this point. The daughter really let a nasty one come to your home.

[jlreich]

I wouldn't say 'attack'...I'd say more like 'pwned'.

Haha!. No doubt about that.

OK, after a little more research I have found that the MAC appears to actually be my Road Runner default gateway, which I suspected but was a little freaked out over the whole thing. Also keep in mind that everything you see in the firewall log is logged because it has been blocked. Note that the entries with red circle/slash next to them are specifically blocked by the add-on Banish, which is used to block a specific resource or range, so those are the ones I have manually blocked myself.

So what I am thinking, and what really is the big question, are these entries from China and other foreign countries just the normal bombardment of being on the internet, and IPCop is doing it's job? Or am I under attack specifically?

Looking at "IPTables Connection Tracking" in the firewall I see no abnormal current connections.

There's no doubt my LAN is infected with whatever "Richard" is. My best guess is a keylogger. I will start restoring backups soon and monitoring for that IP or any other abnormal activity to make sure I go back far enough. And I need to scrub data partitions. Particularly my oldest daughters data on both her desktop and laptop. This will be most painful for her since all her music is going to go to the great cyber graveyard, and since I don't think I ever made a backup of here laptop she will have to start from scratch. I think you understand when I say I don't particularly feel bad for her.

I will also take measures to strengthen security within my LAN. I allowed things to be pretty loose so my wife and kids can access resources fairly easy, but that time has passed. I have been thinking for awhile about building a Linux server to hold all shared resources and locking down all clients. Probably will be doing that soon.

Any more thoughts or comments are welcomed.

[Ajmukon]

Haha!. No doubt about that.

OK, after a little more research I have found that the MAC appears to actually be my Road Runner default gateway, which I suspected but was a little freaked out over the whole thing. Also keep in mind that everything you see in the firewall log is logged because it has been blocked. Note that the entries with red circle/slash next to them are specifically blocked by the add-on Banish, which is used to block a specific resource or range, so those are the ones I have manually blocked myself.

So what I am thinking, and what really is the big question, are these entries from China and other foreign countries just the normal bombardment of being on the internet, and IPCop is doing it's job? Or am I under attack specifically?

Looking at "IPTables Connection Tracking" in the firewall I see no abnormal current connections.

There's no doubt my LAN is infected with whatever "Richard" is. My best guess is a keylogger. I will start restoring backups soon and monitoring for that IP or any other abnormal activity to make sure I go back far enough. And I need to scrub data partitions. Particularly my oldest daughters data on both her desktop and laptop. This will be most painful for her since all her music is going to go to the great cyber graveyard, and since I don't think I ever made a backup of here laptop she will have to start from scratch. I think you understand when I say I don't particularly feel bad for her.

I will also take measures to strengthen security within my LAN. I allowed things to be pretty loose so my wife and kids can access resources fairly easy, but that time has passed. I have been thinking for awhile about building a Linux server to hold all shared resources and locking down all clients. Probably will be doing that soon.

Any more thoughts or comments are welcomed.

...HJL?

just a thought.. it might be removable...
though.. now that i think about it...
starting from scratch might be better and easier...

[awaj]

She can save her music I think... She can sit down, and drag each individual song (and only song) onto a external hard drive under strict parental controls and such to prevent malware from going with it. at least in theory that would save it. WMP and Zune and I think iTunes (not sure about the last one) would grab the data it needs to turn them back into albums and such.

[mjc]

I'd make her do it under Linux...

[jlreich]

AJ, I don't even want to play with it. It probably is removable but it has alluded me for this long after normal scans and some deeper scans. I will not feel comfortable not knowing for certain it is gone. Budfred recently looked over some logs for me on my system and it didn't show up there either. This is one reason I make backups, so that's what I will do.

awaj, I don't know, I will probably put the music on an external drive until I decide what to do with it. Probably scrub it in Linux as MJC suggested.

If it wasn't for college I would be tempted to make her run on a Live CD for awhile.

At least I have a multiboot system and was able to boot to XP and it is clean. If that failed I also have Suse 11 installed. I can certainly live without vista for awhile until I get the other systems taken care of first.

Anyone have any comments on the blocked China IP's and such? I was kind of hoping Variable or one of the other network gurus would comment.

If nothing else all this has caused me to brush up on my networking skills. The work I have been doing for quite awhile doesn't really require much more than basic networking knowledge so I have gotten pretty rusty in that area.

[wombil]

hope I'm not butting in here but MJC mentioned:-
I wouldn't say 'attack'...I'd say more like 'pwned'.
What does 'pwned' actually mean?
Thanks,
Wombil.

[mjc]

'pwned'=owned...hacked to the point that someone else has administrative access to your machine.

[classicsoftware]

Out of Curiosity, what firewall are you using? I use Sygate and it has reverse look-up feature with a WHOIS function. This did not get behind your firewall in an mp3. Cleaning up is not the answer, it's figuring out the source or you will be owned again.

[wombil]

Thanks MJC,Thought it may be something like that.
wombil.

[jlreich]

Out of Curiosity, what firewall are you using? I use Sygate and it has reverse look-up feature with a WHOIS function. This did not get behind your firewall in an mp3. Cleaning up is not the answer, it's figuring out the source or you will be owned again.

Sorry I somehow missed your post Classic. On the machines I am running comodo firewall and Avast AV. Not sure if comodo has a lookup function. But my perimeter firewall IPCop (where the screen shots came from) that sits between my LAN and the net does.

With the little time I have had to deal with this I have figured a few things out that definitely add a wrinkle to the whole thing.

I found that running a ping or tracert on any computer name, either a real one in my LAN or one I just thought up, tries to go out to the internet to the 24.28.193.9 IP. Same goes when I go into my network places and connect to a machine. I further confirmed this with Wireshark (formerly Ethereal). While the 24.28.193.9 IP is blocked it of course times out, when unblocked it does indeed go out of the net. If I ping or tracert using the actual IP of a real machine it acts normal and has the single hop it should to the machine.

I went to all my systems and added a static IP, gateway, and DNS server and now have absolutely nothing in the logs trying to go out to the net while pinging or running tracert. They both act normal now with a single hop to any machine in my LAN and "Richard" can't be found.

So somehow my local?? name service is taken over? This doesn't happen when going out to a web page. I checked my host file and found nothing other than that added by Spybot S&D.

Note that pinging a local machine name while in Suse Linux also gives the same result. I find it really hard to believe that Suse is infected with anything, so my thoughts are it is a result of the pinged machine being infected and not Suse. Or... my firewall itself has been hacked. Unlikely, but anything is possible...

While booted into XP I reset my TCP/IP stack using the MS reset tool. Nothing changed even though the tool reported deleting a few entries. Here is a screen shot of Spybot S&D's look at my LSP's in vista (not reset) if it is any help. The VMWare entries are new as I just started messing with it a couple weeks ago.

This did not get behind your firewall in an mp3.

That's very possibly true. After talking with my daughter she said she hadn't used limewire for over a year and had just started again in September, but that the Richard folder had been there since early summer. But she is still the most likely point of entry since I have never allowed her to use a P2P program but she goes to visit family often and gets music there and brings it home. She is also a heavy user of various IM's and transferring files through them as well.

But I digress. At this point I have no idea how this got in.

After at one time being resigned to restoring backups or totally starting from scratch I am now very interested in figuring this out. If someone wants to help me figure this out I would be most appreciative.

[classicsoftware]

Who is your ISP? When I whois the IP I get:

OrgName: Road Runner HoldCo LLC
OrgID: RRMA
Address: 13241 Woodland Park Road
City: Herndon
StateProv: VA
PostalCode: 20171
Country: US

ReferralServer: rwhois://ipmt.rr.com:4321

NetRange: 24.24.0.0 - 24.29.255.255
CIDR: 24.24.0.0/14, 24.28.0.0/15
NetName: ROAD-RUNNER-1
NetHandle: NET-24-24-0-0-1
Parent: NET-24-0-0-0-0
NetType: Direct Allocation
NameServer: DNS1.RR.COM
NameServer: DNS2.RR.COM
NameServer: DNS3.RR.COM
NameServer: DNS4.RR.COM
Comment:
RegDate: 2000-06-09
Updated: 2002-08-22

RTechHandle: ZS30-ARIN
RTechName: ServiceCo LLC
RTechPhone: +1-703-345-3416
RTechEmail: *****@rr.com

OrgAbuseHandle: ABUSE10-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-703-345-3416
OrgAbuseEmail: *****@rr.com

OrgTechHandle: IPTEC-ARIN
OrgTechName: IP Tech
OrgTechPhone: +1-703-345-3416
OrgTechEmail: *****@rr.com

[jlreich]

It is Road Runner.

I get the same thing, but why would a ping or tracert go out to the internet to get the info for a machine on the local network?

Also when I ping it shows that IP for every name I put in. For instance - Pinging osirus [24.28.193.9] - The IP is the same no matter what name you ping.

It should normally show the actual private IP of the machine correct? Such as 192.168.1.xxx. It does now. It also does on my company laptop that is on a domain and never exhibited this problem.

[classicsoftware]

I think you have to ask your ISP. Are your settings all set to dynamic? I really don't think you are infected at all. I can't fully explain why the router is speaking to your ISP with each request.

[jlreich]

They were all dynamic until last night. Now all are static.

I really don't think you are infected at all

I have considered that myself. Thinking perhaps it is my RR DNS server, but it is not. The DNS servers listed in IPCop are not that IP, but start with 6x. When I WHOIS those IP's they actually say they are DNS servers.

But this doesn't explain the "shared folder on Richard" on my daughters computer. Nor ping or tracert going outside my LAN for a local machine.

This train of thought is the reason I started this thread in this forum instead of the security forum.

I'm confused honestly.

[mjc]

I don't know about infected so much as 'controlled'. It seems to me to be some sort of DNS 'hijack'...but now the question is where...since it affects all machines, it may actually be IPCop that is the problem or the router or ISP. There also seems to be two distinct parts of this problem...the mysterious folder/unexplained Chinese IPs and the 24.xxx.xxx.xxx/RR stuff.

The 24.xxx.xxx.xxx are RoadRunner addresses...some of the things I've seen say that is the RR search page, others refer to those addresses as other parts of RR...but they all go back to RR.

According to one page I found, if you go to http://ww23.rr.com/index.php and go to the Opt Out link on the bottom you can 'opt out' of whatever 'service' this is...whatever it is, exactly, seems to have a major RR component involved.

Now the question I have is what exactly is RR doing...other than redirecting everything to its own DNS? search?

[jlreich]

I am pretty sure the Chinese stuff is just normal bombardment of simply being connected to the net.

The folder I am still unclear about.

I don't know about infected so much as 'controlled'. It seems to me to be some sort of DNS 'hijack'...but now the question is where...

Exactly right. Where? How?

since it affects all machines

Not all. My company laptop has never done this. But since it is on a domain it doesn't see nor is being seen by the other machines in the house. It can ping, and I haven't tried but I am sure it can be pinged, but shows nothing in network places.

But the fact that Suse does the same thing tells me it is probably something not on the machines themselves.

I have changed the password in IPCop. Remote login was not enabled until this began and I needed to login remotely (SSH) to install Banish.

Now the question I have is what exactly is RR doing...other than redirecting everything to its own DNS? search?

The link you gave didn't load for me. But interesting enough I now have entries in my IPCop from my machine blocking the same IP from where I was trying to load it. What the hell? Opt out from what?

OK, unblocked the IP and was able to load the site. Went into preferences and disable "Web Address Error Redirect Service:". It says it can take 15 minutes to become effective so I will wait for a little bit and change one of my machines settings back to dynamic and see what happens.

[jlreich]

OK, set my machine back to DHCP, made sure the IP was blocked, ran ping and tracert and it is normal. Unblocked the IP and still good

Still confused as to how that would effect my LAN?

I am guessing that when I Ping or run tracert it sends out a broadcast message and the external DNS picks it up and somehow takes control??

That somewhat makes sense. Before when I ran ping or tracert it would also include the hostname of IPCop. Like so - Pinging osirus.hostname [IP] - Doesn't do that now.

I didn't think the hostname was relevant... But with IPCop serving DHCP...

Still doesn't account for the mysterious folder, but I now think it is a problem localized to the machine and not throughout my LAN.

It is possible the folder was stuck in the cache or ARP table or whatever from where I worked on a customers machine awhile back. It was a wipe and reinstall and I didn't allow it on the network until it was wiped. Even if it is a real problem I can live with dealing with that and not my entire LAN compromised.

Thoughts?

[mjc]

RR is hijacking...itself?

Very confusing and rather mysterious...but a little more digging and it seems to be a RR related complaint/problem. I found the most 'hits' related to it on places like the Ubuntu forums.

[jlreich]

Yes I call it a problem. Had me freaking out and caused issues with my LAN.

It still doesn't make complete sense to me. I wonder how long they have been doing this?

You would have thought when I called RR about this they would have known when I gave them the IP what was going on.