[Snort-sigs] To catch a Lion (Lion Worm that is)

Robert Wagner rwagner at ...447...
Thu Apr 25 06:19:02 EDT 2002


I have been seeing a series of scans and I think I traced it back to the
Lion Worm.  I noticed that we do not have a signature for the Lion Worm
(last time I checked).

It appears to scan from 53 to 53, then 80 to 53, then from 53 to 37852.  The
scans to 53 are matched by nmap (I am using the same signature, different
name).

Please let me know if you think this is something else.

Apr 24 18:18:04 xserver02 snort[20515]: [1:0:1] Virus - Lion Worm Backdoor
Attempt [Classification: Misc activity] [Priority: 3]: {UDP}
209.135.37.205:53 -> myip:37852
Apr 24 18:18:04 xserver02 snort[20515]: [1:628:1] SCAN Possible Lion Worm
[Classification: Attempted Information Leak] [Priority: 2]: {TCP}
209.135.37.205:80 -> myip:53
Apr 24 18:18:04 xserver02 snort[20515]: [1:628:1] SCAN nmap TCP
[Classification: Attempted Information Leak] [Priority: 2]: {TCP}
209.135.37.205:53 -> myip:53
Apr 24 18:18:09 xserver02 snort[20515]: [1:0:1] Virus - Lion Worm Backdoor
Attempt [Classification: Misc activity] [Priority: 3]: {UDP}
209.135.37.205:53 -> myip:37852
Apr 24 18:18:09 xserver02 snort[20515]: [1:628:1] SCAN Possible Lion Worm
[Classification: Attempted Information Leak] [Priority: 2]: {TCP}
209.135.37.205:80 -> myip:53
Apr 24 18:18:09 xserver02 snort[20515]: [1:628:1] SCAN nmap TCP
[Classification: Attempted Information Leak] [Priority: 2]: {TCP}
209.135.37.205:53 -> myip:53

alert udp any any -> any 37852 (msg:"Virus - Lion Worm Backdoor Attempt";
dsize:<60; reference:MCAFEE,99056; sid:000; classtype:misc-activity; rev:1;)
alert tcp $EXTERNAL_NET 80 -> $HOME_NET 53 (msg:"SCAN Possible Lion
Worm";flags:A;ack:0; tag: session, 300, packets; reference:arachnids,28;
classtype:attempted-recon; sid:000; rev:1;)

-----------------------------53
[**] SCAN nmap TCP [**]
04/24-18:18:04.477490 209.135.37.205:53 -> myip:53
TCP TTL:53 TOS:0x0 ID:20486 IpLen:20 DgmLen:40
***A**** Seq: 0x2F3  Ack: 0x0  Win: 0x578  TcpLen: 20
0x0000: 00 xx xx xx xx xx xx xx xx xx xx xx xx 00 45 00  ....:1..c.....E.
0x0010: 00 28 50 06 00 00 35 06 CE A8 D1 87 25 CD xx xx  .(P...5.....%..,
0x0020: xx xx 00 35 00 35 00 00 02 F3 00 00 00 00 50 10  ...5.5........P.
0x0030: 05 78 3F DE 00 00 00 00 00 00 00 00              .x?.........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] SCAN nmap TCP [**]
04/24-18:18:09.477490 209.135.37.205:53 -> myip:53
TCP TTL:53 TOS:0x0 ID:20556 IpLen:20 DgmLen:40
***A**** Seq: 0x2F7  Ack: 0x0  Win: 0x578  TcpLen: 20
0x0000: 00 xx xx xx xx xx xx xx xx xx xx xx xx 00 45 00  ....:1..c.....E.
0x0010: 00 28 50 4C 00 00 35 06 CE 62 D1 87 25 CD xx xx  .(PL..5..b..%..,
0x0020:  xx xx  00 35 00 35 00 00 02 F7 00 00 00 00 50 10  ...5.5........P.
0x0030: 05 78 3F DA 00 00 00 00 00 00 00 00              .x?.........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
-----------------------------80
[**] SCAN Possible Lion Worm [**]
04/24-18:18:04.477490 209.135.37.205:80 -> myip:53
TCP TTL:53 TOS:0x0 ID:20485 IpLen:20 DgmLen:40
***A**** Seq: 0x2F2  Ack: 0x0  Win: 0x578  TcpLen: 20
0x0000: 00 xx xx xx xx xx xx xx xx xx xx xx xx 00 45 00  ....:1..c.....E.
0x0010: 00 28 50 05 00 00 35 06 CE A9 D1 87 25 CD xx xx  .(P...5.....%..,
0x0020:  xx xx 00 50 00 35 00 00 02 F2 00 00 00 00 50 10  ...P.5........P.
0x0030: 05 78 3F C4 00 00 00 00 00 00 00 00              .x?.........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] SCAN Possible Lion Worm [**]
04/24-18:18:09.477490 209.135.37.205:80 -> myip:53
TCP TTL:53 TOS:0x0 ID:20555 IpLen:20 DgmLen:40
***A**** Seq: 0x2F6  Ack: 0x0  Win: 0x578  TcpLen: 20
0x0000: 00 xx xx xx xx xx xx xx xx xx xx xx xx 00 45 00  ....:1..c.....E.
0x0010: 00 28 50 4B 00 00 35 06 CE 63 D1 87 25 CD xx xx  .(PK..5..c..%..,
0x0020:  xx xx  00 50 00 35 00 00 02 F6 00 00 00 00 50 10  ...P.5........P.
0x0030: 05 78 3F C0 00 00 00 00 00 00 00 00              .x?.........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

---------------------------------37852
[**] Virus - Lion Worm Backdoor Attempt [**]
04/24-18:18:04.477490 209.135.37.205:53 -> myip:37852
UDP TTL:53 TOS:0x0 ID:20483 IpLen:20 DgmLen:38
Len: 18
0x0000: 00 xx xx xx xx xx xx xx xx xx xx xx xx 00 45 00  ....:1..c.....E.
0x0010: 00 26 50 03 00 00 35 11 CE A2 D1 87 25 CD xx xx  .&P...5.....%..,
0x0020:  xx xx  00 35 93 DC 00 12 04 97 00 00 00 00 00 00  ...5............
0x0030: 00 00 00 00 00 00 06 6B 00 00 00 00              .......k....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Virus - Lion Worm Backdoor Attempt [**]
04/24-18:18:09.477490 209.135.37.205:53 -> myip:37852
UDP TTL:53 TOS:0x0 ID:20553 IpLen:20 DgmLen:38
Len: 18
0x0000: 00 xx xx xx xx xx xx xx xx xx xx xx xx 00 45 00  ....:1..c.....E.
0x0010: 00 26 50 49 00 00 35 11 CE 5C D1 87 25 CD xx xx  .&PI..5..\..%..,
0x0020:  xx xx  00 35 93 DC 00 12 04 97 00 00 00 00 00 00  ...5............
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00              ............

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

PS -> Does anyone know why the UDP packets are logging to a different
directory than the TCP packets.  TCP -> Source, UDP -> Destination.




More information about the Snort-sigs mailing list