The mystery of the outrageous bandwidth

October · Joined: 20 Apr 2007 Posts: 38 Location: Houston, TX

According to Wikipedia (fount of not-quite-all knowledge), Yog-Sothoth appeared in The Dunwich Horror - one of the few stories in the HPL mythos where the evil is defeated.

http://en.wikipedia.org/wiki/The_Dunwich_Horror

Note the part of the synopsis that says:

WolfHawk · Posted: Fri May 11, 2007 5:41 pm Post subject:

BlueKindo · Joined: 11 May 2007 Posts: 20

Dante · Joined: 20 Apr 2007 Posts: 578 Location: Chicago, IL

Well, I've broken the "gg" into bits and tried to match up the text with the stuff from the Yog-Sothoth page:

October · Joined: 20 Apr 2007 Posts: 38 Location: Houston, TX

BlueKindo · Joined: 11 May 2007 Posts: 20

Occultus · Joined: 28 Apr 2007 Posts: 56 Location: UK

So 5217 tries to telnet back to the incoming host and then dumps a whole load of Cthulhu text.

1031 (halloween as the US'ians write their dates) just instantly terminates the connection.

1313 is interesting:

Celina63 · Joined: 20 Apr 2007 Posts: 76 Location: San Diego

[quote="Occultus"]
1313 is interesting:

Rasputin42x69 · Posted: Fri May 11, 2007 6:38 pm Post subject:

Delurking here...

Re: 1313, I've noticed something odd developing in this one... The number of unauthorized accesses (I assume that's what Unauth: is) is usually 0, with the occasional patch of 1's. I've seen clusters of them with more than one access, though, and they seem to be forming a pattern, like this:

WolfHawk · Posted: Fri May 11, 2007 6:50 pm Post subject:

Perhaps an image becomes apparent once all the patterened lines are put together. for instance the grouping of 7s could be the head of a body.
_________________
Having abandoned my search for the truth I am now looking for a good fantasy.

I think I am therefore I am I think.

Cem · Joined: 20 Apr 2007 Posts: 24 Location: Point Nemo

James Stone · Posted: Sat May 12, 2007 7:55 am Post subject:

Port 1031 is the iad2 service, this means you have a Distributed Computing Environment or Remote Procedure Call setup on the machine, I would stab a guess that this is a trigger port for an attack, BA has been commenting on people hanging around waiting for a attack, I would shut down this port for now until we figure out the links.

Also, the full text from port 5217 is:

Y2Kveteran · Joined: 11 Jan 2007 Posts: 105 Location: Boulder, CO

Don't get alarmed, Bryce, but I've also used more private channels to call in some favors from old friends that don't really want to tip their hands. Some interesting ideas popping around.

First: Peter says "hey" and then points out to me what a sly old dog you are, Bryce. He suggests that since you obviously found the promisc node you were hoping to find, and since the promisc node isn't yours, that perhaps we should be mucho careful in revealing to those who own that node any information that reveals you have access to that. Peter thinks we might need it later.

Second: others agree with Occultus and James. 1313 and 5217 are part of open applicational blocks. 1031 is used by BBN IAD so is typically avoided. Probably a bot herder or zombie hub of some sort, especially if it is part of something moving terabytes. However, their advice to us is to NOT SHUT DOWN THESE PORTS as that might attract more active attention from the "owner" of these processes. We need to focus on collecting evidence before we tip our hats, they think.

Third: James -- what terminal emulation where you using with that capture? Clearly, which ever it is, it is working better than VT100 (which is slaughtering the display of the character strings for me.)

Fourth: Wayne reports last night seeing the Unauth count as high as 7. He also claims to have seen a 1 auth / 1 unauth combo, but he has no log to back it up (and you know how la pharmaceia impacts his Friday night effectiveness.) Did someone here do something that could have produced that? Did someone else? Or did Wayne just do too much? Must be able to replicate that.

Art
_________________
----
Art Lydney
Security Consultant
"The price of freedom is eternal vigilance."
-- Thomas Jefferson

Mkaos · Joined: 08 Jan 2007 Posts: 256 Location: San Francisco

Oops. James, I think your post must have hit the character limit on the forums. Do you still have the full text? Maybe it would be better for us to put it on the wiki. Smile

James Stone · Posted: Sat May 12, 2007 11:12 am Post subject:

I have sorted that ridiculously long post, I should have made sure it would fit before I posted it up, but I am dumb sometimes. I managed to get the text several ways, the easiest was opening in FireFox and selecting View Page Source. Windows XP telnet made an awful mess of it. I have not attempted to connect using my Linux box yet.

Also notice that I removed my IP address from that post, the admins here already have my IP address and I don't want 'public' users being handed it on a plate Very Happy

Leading on from that, admins you may notice my IP on your logs a number of times today, please be assured I am in no way out to harm your system, but I certainly would love to know who has put what services onto your server, and digging holes is the only way I know of getting that info. If my presence around the server makes you nervous then I will cease any further access attempts, I don't wish to lose your trust.