Possible zombie situation

Post by **GORDON** » Tue Oct 11, 2011 12:44 pm

I suspect a PC on my network may have been compromised by something, and is being used for something.

For the last week or so I have noticed intermittent HTML droppoffs, and while not actively researching until today, I have been wondering.

Today I get into my router settings to reboot it, and glance at the logs while I am in there:

Code: Select all

[LAN access from remote] from 99.232.132.62:53916 to 192.168.1.201:57509, Tuesday, October 11,2011 12:21:00
[LAN access from remote] from 90.204.52.250:59466 to 192.168.1.201:57509, Tuesday, October 11,2011 12:21:00
[LAN access from remote] from 184.161.235.77:21196 to 192.168.1.201:57509, Tuesday, October 11,2011 12:20:44
[LAN access from remote] from 187.160.70.51:52832 to 192.168.1.201:57509, Tuesday, October 11,2011 12:20:12
[LAN access from remote] from 67.63.97.73:62899 to 192.168.1.201:57509, Tuesday, October 11,2011 12:20:01
[LAN access from remote] from 71.92.198.65:57102 to 192.168.1.201:57509, Tuesday, October 11,2011 12:19:55
[LAN access from remote] from 131.104.250.225:55798 to 192.168.1.201:57509, Tuesday, October 11,2011 12:19:44
[LAN access from remote] from 142.217.25.117:56836 to 192.168.1.201:57509, Tuesday, October 11,2011 12:19:41
[LAN access from remote] from 68.62.52.30:64009 to 192.168.1.201:57509, Tuesday, October 11,2011 12:19:30
[LAN access from remote] from 201.167.45.144:61819 to 192.168.1.201:57509, Tuesday, October 11,2011 12:19:10
[LAN access from remote] from 83.2.50.49:2430 to 192.168.1.201:57509, Tuesday, October 11,2011 12:19:07
[LAN access from remote] from 71.232.60.250:52078 to 192.168.1.201:57509, Tuesday, October 11,2011 12:18:55
[LAN access from remote] from 78.232.73.123:56752 to 192.168.1.201:57509, Tuesday, October 11,2011 12:18:21
[LAN access from remote] from 97.90.200.89:54106 to 192.168.1.201:57509, Tuesday, October 11,2011 12:18:16
[LAN access from remote] from 71.227.162.16:23260 to 192.168.1.201:57509, Tuesday, October 11,2011 12:18:03
[LAN access from remote] from 24.6.118.29:57851 to 192.168.1.201:57509, Tuesday, October 11,2011 12:17:18
[LAN access from remote] from 76.22.223.34:52215 to 192.168.1.201:57509, Tuesday, October 11,2011 12:16:28
[LAN access from remote] from 71.204.243.59:60373 to 192.168.1.201:57509, Tuesday, October 11,2011 12:16:27
[LAN access from remote] from 76.121.146.97:53431 to 192.168.1.201:57509, Tuesday, October 11,2011 12:16:26
[LAN access from remote] from 86.97.131.81:54262 to 192.168.1.201:57509, Tuesday, October 11,2011 12:16:09
[LAN access from remote] from 79.166.151.15:53120 to 192.168.1.201:57509, Tuesday, October 11,2011 12:16:08
[LAN access from remote] from 27.32.186.17:51858 to 192.168.1.201:57509, Tuesday, October 11,2011 12:15:47
[LAN access from remote] from 72.50.70.211:51030 to 192.168.1.201:57509, Tuesday, October 11,2011 12:15:29
[LAN access from remote] from 124.122.180.226:2031 to 192.168.1.201:57509, Tuesday, October 11,2011 12:14:52

Lots of that. whois didn't specify who was at that ip beyond some vague references to spam bot networks.

.201 is my main system, the one I am typing on, now. The only reference to port 57509 was a reference in the UPnP settings, that port was directed right at this PC.

I never set up anything to point at this PC in the router, so I don't know what that is.

Does this look like an infection, and did I fix it by disabling UPnP on the router? So far the logs show none of that activity for the last 10 minutes, since I disabled it.[/color]

Edited By GORDON on 1318351497

Post by **TheCatt** » Tue Oct 11, 2011 12:57 pm

shit shit shit - Cake -he's on to us.

Post by **GORDON** » Tue Oct 11, 2011 3:04 pm

Now these are popping up in the logs, here and there:

Code: Select all

[DoS Attack: RST Scan] from source: 66.61.32.126, port 64281, Tuesday, October 11,2011 13:15:16

Only a few of them, so it isn't like a wall of DOS ATTACK. Are routers, these days, smart enough to block an IP when it detects something like that? Obviously it was smart enough to label it "DOS Attack" in the logs.[/color]

Post by **GORDON** » Tue Oct 11, 2011 3:21 pm

Eh, I filtered the logs and I guess this isn't anything new:

Code: Select all

[DoS Attack: RST Scan] from source: 24.151.59.32, port 51014, Tuesday, October 11,2011 15:05:50
[DoS Attack: RST Scan] from source: 138.210.200.187, port 10947, Tuesday, October 11,2011 14:59:30
[DoS Attack: RST Scan] from source: 98.169.46.14, port 53966, Tuesday, October 11,2011 14:51:03
[DoS Attack: RST Scan] from source: 98.206.191.90, port 61366, Tuesday, October 11,2011 14:06:05
[DoS Attack: RST Scan] from source: 138.210.200.187, port 28700, Tuesday, October 11,2011 14:05:26
[DoS Attack: RST Scan] from source: 138.210.200.187, port 27767, Tuesday, October 11,2011 13:48:10
[DoS Attack: RST Scan] from source: 50.113.36.207, port 49769, Tuesday, October 11,2011 13:20:54
[DoS Attack: RST Scan] from source: 190.190.87.192, port 58099, Tuesday, October 11,2011 13:20:13
[DoS Attack: RST Scan] from source: 66.61.32.126, port 64281, Tuesday, October 11,2011 13:15:16
[DoS Attack: RST Scan] from source: 14.136.24.237, port 2799, Tuesday, October 11,2011 12:49:43
[DoS Attack: ACK Scan] from source: 183.179.219.171, port 58849, Tuesday, October 11,2011 11:52:30
[DoS Attack: ACK Scan] from source: 183.179.219.171, port 58849, Tuesday, October 11,2011 11:52:28
[DoS Attack: ACK Scan] from source: 183.179.219.171, port 58849, Tuesday, October 11,2011 11:52:25
[DoS Attack: ACK Scan] from source: 183.179.219.171, port 58849, Tuesday, October 11,2011 11:52:23
[DoS Attack: RST Scan] from source: 62.195.249.33, port 58198, Tuesday, October 11,2011 11:47:13
[DoS Attack: RST Scan] from source: 67.172.254.79, port 58797, Tuesday, October 11,2011 11:43:59
[DoS Attack: RST Scan] from source: 99.141.48.169, port 57234, Tuesday, October 11,2011 11:32:26
[DoS Attack: RST Scan] from source: 201.37.238.122, port 57456, Tuesday, October 11,2011 11:22:16
[DoS Attack: RST Scan] from source: 174.6.88.107, port 58276, Tuesday, October 11,2011 11:10:04
[DoS Attack: ACK Scan] from source: 58.233.139.28, port 57794, Tuesday, October 11,2011 10:36:04
[DoS Attack: ACK Scan] from source: 218.236.73.168, port 56626, Tuesday, October 11,2011 09:56:09
[DoS Attack: ACK Scan] from source: 210.111.178.190, port 58916, Tuesday, October 11,2011 09:48:34
[DoS Attack: ACK Scan] from source: 211.117.19.195, port 58440, Tuesday, October 11,2011 09:44:29
[DoS Attack: ACK Scan] from source: 211.245.13.149, port 57411, Tuesday, October 11,2011 09:44:14
[DoS Attack: ACK Scan] from source: 175.117.43.135, port 57971, Tuesday, October 11,2011 09:35:24

I just didn't notice them before since they were lost in the flood of logs of whatever was accessing my PC.[/color]

Post by **TPRJones** » Tue Oct 11, 2011 6:52 pm

So how did the port forward get set up on your router, then? Is your router compromised?

Post by **GORDON** » Tue Oct 11, 2011 7:03 pm

TPRJones wrote:So how did the port forward get set up on your router, then? Is your router compromised?

No idea where the port forwarding came from. It was in the UPnP section, which I remember activating in order to get my PS3 to work on my network, but I don't recall ever setting up anything pointing at my .201. It wasn't set up in "Port Forwarding"-proper.

Now, without perfect understanding how UPnP works, isn't it designed to make it easier to connect random appliances to your network?

To answer your question, I don't know, yet. Keeping an eye on things. However, since I deactivated UPnP, which closed those open ports, I haven't had any of the original HTML issues. Also, my Android phone is no longer connecting to the wifi, heh.... a clue?

Post by **TheCatt** » Tue Oct 11, 2011 9:44 pm

Some software can automatically configuration portnforwarding on your router, I use at least one piece of softwarenthat has done that.

No bit torrent software?

Post by **GORDON** » Tue Oct 11, 2011 10:28 pm

TheCatt wrote:Some software can automatically configuration portnforwarding on your router, I use at least one piece of softwarenthat has done that.

No bit torrent software?

Not on the machine to which it was pointing.

Post by **GORDON** » Wed Oct 12, 2011 10:34 am

From my router's documentation:

UPnP can be enabled for automatic device configuration, or it can be disabled. The default setting for UPnP is enabled. If this feature is disabled, the router will not allow any device to automatically control the resources, such as port forwarding (mapping), of the router.

So devices CAN forward ports and shit. I wonder if it was my Android phone that I plugged into my PC, since that is the only thing I can think of that I have plugged into this 192.168.0.201 PC, lately.

Post by **TheCatt** » Wed Oct 12, 2011 10:49 am

That seems unlikely.