[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] Question about RBN signatures.
From: phatbuckett () gmail ! com (Darren Spruell)
Date: 2009-02-12 21:36:17
Message-ID: 839aec700902121336m49b8bedej41f16f7e774b13bc () mail ! gmail ! com
[Download RAW message or body]
Yes. You're seeing reply traffic (destined to the 10.x.x x resolver
that made the request.)
The source port of 53/udp is also an indicator of that; your request
went to their name server on port 53, and the reply comes back from
that server on port 53.
You've got clients trying to resolve stuff hosted over there for
various Internet dirtiness; typo squatting at least, and if you
drilled into it possibly more.
DS
On Thu, Feb 12, 2009 at 12:46 PM, Paul Halliday <paul.halliday at gmail.com> wrote:
> I am confused (more likely ignorant), how can they make a request to a
> server that isn't visible to the outside.
> Maybe i just don't understand the process. Is this in response to a
> client request?
>
> On Thu, Feb 12, 2009 at 3:36 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:
>> Thats you responding to them making a dns request.
>>
>> Matt
>>
>> Paul Halliday wrote:
>>>>> Take a look at the payloads and if it's DNS response traffic you can
>>>>> investigate the domains/sites they relate to.
>>>
>>> This IP alone has 60 events today. Why is my server talking to it?
>>>
>>> ------------------------------------------------------------------------
>>> Count:1 Event#2.1045628 2009-02-10 12:15:44
>>> ET RBN Known Russian Business Network Monitored Domains (222)
>>> 98.124.192.1 -> 10.37.1.5
>>> IPVer=4 hlen=5 tos=0 dlen=283 ID=47803 flags=2 offset=0 ttl=244 chksum=40302
>>> Protocol: 17 sport=53 -> dport=54894
>>>
>>> len=263 chksum=21564
>>> Payload:
>>> FF 10 84 00 00 01 00 01 00 05 00 05 06 67 6F 6F .............goo
>>> 67 65 6C 02 63 61 00 00 01 00 01 C0 0C 00 01 00 gel.ca..........
>>> 01 00 00 0E 10 00 04 45 40 9F 01 C0 0C 00 02 00 .......E at .......
>>> 01 00 00 0E 10 00 18 04 64 6E 73 31 0D 6E 61 6D ........dns1.nam
>>> 65 2D 73 65 72 76 69 63 65 73 03 63 6F 6D 00 C0 e-services.com..
>>> 0C 00 02 00 01 00 00 0E 10 00 07 04 64 6E 73 32 ............dns2
>>> C0 3C C0 0C 00 02 00 01 00 00 0E 10 00 07 04 64 .<.............d
>>> 6E 73 33 C0 3C C0 0C 00 02 00 01 00 00 0E 10 00 ns3.<...........
>>> 07 04 64 6E 73 34 C0 3C C0 0C 00 02 00 01 00 00 ..dns4.<........
>>> 0E 10 00 07 04 64 6E 73 35 C0 3C C0 37 00 01 00 .....dns5.<.7...
>>> 01 00 00 0E 10 00 04 62 7C C0 01 04 64 6E 73 32 .......b|...dns2
>>> C0 3C 00 01 00 01 00 00 0E 10 00 04 D8 34 B8 F8 .<...........4..
>>> 04 64 6E 73 33 C0 3C 00 01 00 01 00 00 0E 10 00 .dns3.<.........
>>> 04 62 7C C1 01 04 64 6E 73 34 C0 3C 00 01 00 01 .b|...dns4.<....
>>> 00 00 0E 10 00 04 45 40 91 E1 04 64 6E 73 35 C0 ......E at ...dns5.
>>> 3C 00 01 00 01 00 00 0E 10 00 04 46 2A 25 07 <..........F*%.
>>> ------------------------------------------------------------------------
>>> Count:1 Event#2.1045882 2009-02-10 12:24:19
>>> ET RBN Known Russian Business Network Monitored Domains (222)
>>> 98.124.192.1 -> 10.37.1.5
>>> IPVer=4 hlen=5 tos=0 dlen=288 ID=1810 flags=2 offset=0 ttl=244 chksum=20755
>>> Protocol: 17 sport=53 -> dport=40172
>>>
>>> len=268 chksum=60690
>>> Payload:
>>> BF 4F 84 00 00 01 00 01 00 05 00 05 03 77 77 77 .O...........www
>>> 09 62 6C 6F 67 61 72 61 6D 61 03 63 6F 6D 00 00 .blogarama.com..
>>> 01 00 01 C0 0C 00 01 00 01 00 00 07 08 00 04 43 ...............C
>>> D2 61 FC C0 10 00 02 00 01 00 00 0E 10 00 15 04 .a..............
>>> 64 6E 73 31 0D 6E 61 6D 65 2D 73 65 72 76 69 63 dns1.name-servic
>>> 65 73 C0 1A C0 10 00 02 00 01 00 00 0E 10 00 07 es..............
>>> 04 64 6E 73 32 C0 44 C0 10 00 02 00 01 00 00 0E .dns2.D.........
>>> 10 00 07 04 64 6E 73 33 C0 44 C0 10 00 02 00 01 ....dns3.D......
>>> 00 00 0E 10 00 07 04 64 6E 73 34 C0 44 C0 10 00 .......dns4.D...
>>> 02 00 01 00 00 0E 10 00 07 04 64 6E 73 35 C0 44 ..........dns5.D
>>> C0 3F 00 01 00 01 00 00 0E 10 00 04 62 7C C0 01 .?..........b|..
>>> 04 64 6E 73 32 C0 44 00 01 00 01 00 00 0E 10 00 .dns2.D.........
>>> 04 D8 34 B8 F8 04 64 6E 73 33 C0 44 00 01 00 01 ..4...dns3.D....
>>> 00 00 0E 10 00 04 62 7C C1 01 04 64 6E 73 34 C0 ......b|...dns4.
>>> 44 00 01 00 01 00 00 0E 10 00 04 45 40 91 E1 04 D..........E at ...
>>> 64 6E 73 35 C0 44 00 01 00 01 00 00 0E 10 00 04 dns5.D..........
>>> 46 2A 25 07 F*%.
>>> ------------------------------------------------------------------------
>>> Count:1 Event#2.1046067 2009-02-10 12:31:14
>>> ET RBN Known Russian Business Network Monitored Domains (222)
>>> 98.124.192.1 -> 10.37.1.5
>>> IPVer=4 hlen=5 tos=0 dlen=291 ID=58879 flags=2 offset=0 ttl=244 chksum=29218
>>> Protocol: 17 sport=53 -> dport=27249
>>>
>>> len=271 chksum=49330
>>> Payload:
>>> 5B A2 84 00 00 01 00 01 00 05 00 05 03 77 77 77 [............www
>>> 0C 63 64 78 65 74 65 78 74 62 6F 6F 6B 03 63 6F .cdxetextbook.co
>>> 6D 00 00 01 00 01 C0 0C 00 01 00 01 00 00 0E 10 m...............
>>> 00 04 45 40 4D 47 C0 10 00 02 00 01 00 00 0E 10 ..E at MG..........
>>> 00 15 04 64 6E 73 31 0D 6E 61 6D 65 2D 73 65 72 ...dns1.name-ser
>>> 76 69 63 65 73 C0 1D C0 10 00 02 00 01 00 00 0E vices...........
>>> 10 00 07 04 64 6E 73 32 C0 47 C0 10 00 02 00 01 ....dns2.G......
>>> 00 00 0E 10 00 07 04 64 6E 73 33 C0 47 C0 10 00 .......dns3.G...
>>> 02 00 01 00 00 0E 10 00 07 04 64 6E 73 34 C0 47 ..........dns4.G
>>> C0 10 00 02 00 01 00 00 0E 10 00 07 04 64 6E 73 .............dns
>>> 35 C0 47 C0 42 00 01 00 01 00 00 0E 10 00 04 62 5.G.B..........b
>>> 7C C0 01 04 64 6E 73 32 C0 47 00 01 00 01 00 00 |...dns2.G......
>>> 0E 10 00 04 D8 34 B8 F8 04 64 6E 73 33 C0 47 00 .....4...dns3.G.
>>> 01 00 01 00 00 0E 10 00 04 62 7C C1 01 04 64 6E .........b|...dn
>>> 73 34 C0 47 00 01 00 01 00 00 0E 10 00 04 45 40 s4.G..........E@
>>> 91 E1 04 64 6E 73 35 C0 47 00 01 00 01 00 00 0E ...dns5.G.......
>>> 10 00 04 46 2A 25 07 ...F*%.
>>> ------------------------------------------------------------------------
>>> Count:1 Event#2.1046402 2009-02-10 12:44:26
>>> ET RBN Known Russian Business Network Monitored Domains (222)
>>> 98.124.192.1 -> 10.37.1.5
>>> IPVer=4 hlen=5 tos=0 dlen=297 ID=1504 flags=2 offset=0 ttl=244 chksum=21052
>>> Protocol: 17 sport=53 -> dport=51101
>>>
>>> len=277 chksum=4378
>>> Payload:
>>> D8 E2 84 00 00 01 00 01 00 05 00 05 06 6D 65 64 .............med
>>> 69 61 32 0D 74 76 73 65 61 72 63 68 67 75 69 64 ia2.tvsearchguid
>>> 65 02 74 76 00 00 01 00 01 C0 0C 00 01 00 01 00 e.tv............
>>> 00 0E 10 00 04 42 E6 B6 C6 C0 13 00 02 00 01 00 .....B..........
>>> 00 0E 10 00 18 04 64 6E 73 31 0D 6E 61 6D 65 2D ......dns1.name-
>>> 73 65 72 76 69 63 65 73 03 63 6F 6D 00 C0 13 00 services.com....
>>> 02 00 01 00 00 0E 10 00 07 04 64 6E 73 32 C0 4A ..........dns2.J
>>> C0 13 00 02 00 01 00 00 0E 10 00 07 04 64 6E 73 .............dns
>>> 33 C0 4A C0 13 00 02 00 01 00 00 0E 10 00 07 04 3.J.............
>>> 64 6E 73 34 C0 4A C0 13 00 02 00 01 00 00 0E 10 dns4.J..........
>>> 00 07 04 64 6E 73 35 C0 4A C0 45 00 01 00 01 00 ...dns5.J.E.....
>>> 00 0E 10 00 04 62 7C C0 01 04 64 6E 73 32 C0 4A .....b|...dns2.J
>>> 00 01 00 01 00 00 0E 10 00 04 D8 34 B8 F8 04 64 ...........4...d
>>> 6E 73 33 C0 4A 00 01 00 01 00 00 0E 10 00 04 62 ns3.J..........b
>>> 7C C1 01 04 64 6E 73 34 C0 4A 00 01 00 01 00 00 |...dns4.J......
>>> 0E 10 00 04 45 40 91 E1 04 64 6E 73 35 C0 4A 00 ....E at ...dns5.J.
>>> 01 00 01 00 00 0E 10 00 04 46 2A 25 07 .........F*%.
>>> ------------------------------------------------------------------------
>>> Count:1 Event#2.1046593 2009-02-10 12:52:18
>>> ET RBN Known Russian Business Network Monitored Domains (222)
>>> 98.124.192.1 -> 10.37.1.5
>>> IPVer=4 hlen=5 tos=0 dlen=110 ID=65385 flags=2 offset=0 ttl=244 chksum=22893
>>> Protocol: 17 sport=53 -> dport=24556
>>>
>>> len=90 chksum=38066
>>> Payload:
>>> B7 5C 84 00 00 01 00 01 00 00 00 00 03 77 77 77 .\...........www
>>> 0A 67 6C 6F 62 61 6C 70 6F 73 74 03 63 6F 6D 00 .globalpost.com.
>>> 00 01 00 01 C0 0C 00 05 00 01 00 00 07 08 00 22 ..............."
>>> 03 77 77 77 0A 67 6C 6F 62 61 6C 70 6F 73 74 03 .www.globalpost.
>>> 63 6F 6D 09 65 64 67 65 73 75 69 74 65 03 6E 65 com.edgesuite.ne
>>> 74 00 t.
>>> ------------------------------------------------------------------------
>>> Count:1 Event#2.1046695 2009-02-10 12:55:48
>>> ET RBN Known Russian Business Network Monitored Domains (222)
>>> 98.124.192.1 -> 10.37.1.5
>>> IPVer=4 hlen=5 tos=0 dlen=313 ID=60306 flags=2 offset=0 ttl=244 chksum=27769
>>> Protocol: 17 sport=53 -> dport=44592
>>>
>>> len=293 chksum=11879
>>> Payload:
>>> C3 F8 84 00 00 01 00 02 00 05 00 05 03 77 77 77 .............www
>>> 0C 70 6C 65 6E 74 79 6F 66 66 69 73 68 03 63 6F .plentyoffish.co
>>> 6D 00 00 01 00 01 C0 0C 00 05 00 01 00 00 0E 10 m...............
>>> 00 02 C0 10 C0 10 00 01 00 01 00 00 0E 10 00 04 ................
>>> 40 22 6E AE C0 10 00 02 00 01 00 00 0E 10 00 15 @"n.............
>>> 05 64 6E 73 30 31 03 67 70 6E 08 72 65 67 69 73 .dns01.gpn.regis
>>> 74 65 72 C0 1D C0 10 00 02 00 01 00 00 0E 10 00 ter.............
>>> 08 05 64 6E 73 30 32 C0 56 C0 10 00 02 00 01 00 ..dns02.V.......
>>> 00 0E 10 00 08 05 64 6E 73 30 33 C0 56 C0 10 00 ......dns03.V...
>>> 02 00 01 00 00 0E 10 00 08 05 64 6E 73 30 34 C0 ..........dns04.
>>> 56 C0 10 00 02 00 01 00 00 0E 10 00 08 05 64 6E V.............dn
>>> 73 30 35 C0 56 C0 50 00 01 00 01 00 00 0E 10 00 s05.V.P.........
>>> 04 62 7C C0 01 05 64 6E 73 30 32 C0 56 00 01 00 .b|...dns02.V...
>>> 01 00 00 0E 10 00 04 D8 34 B8 F8 05 64 6E 73 30 ........4...dns0
>>> 33 C0 56 00 01 00 01 00 00 0E 10 00 04 62 7C C1 3.V..........b|.
>>> 01 05 64 6E 73 30 34 C0 56 00 01 00 01 00 00 0E ..dns04.V.......
>>> 10 00 04 45 40 91 E1 05 64 6E 73 30 35 C0 56 00 ...E at ...dns05.V.
>>> 01 00 01 00 00 0E 10 00 04 46 2A 25 07 .........F*%.
>>> ------------------------------------------------------------------------
>>>
>>>
>>> ......a bunch more.
>>>
>>>
>>> Thanks.
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> --
>> --------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> --------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
--
Darren Spruell
phatbuckett at gmail.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic