Recentemente fomos notificados que possíveis máquinas da nossa rede estaria fazendo parte da rede de botnets Rustock (1). Pesquisei pelo Google e encontrei a lista de IP's dos servidores da rede Rustock.
A lista você encontra no link abaixo:
Rustock CnC Servers: http://blog.fireeye.com/research/rustock-cnc-servers.html
Usando o tcpdump pude filtrar todo tráfego com destino aos IP's e salvar o resultado em um arquivo para que posteriormente possa ser analisado, veja o script como ficou:
#!/bin/bash
tcpdump -nn -i any host 173.192.135.102 or host 173.192.135.98 \
or host 173.192.135.99 or host 173.208.128.50 or host 173.208.128.74 \
or host 173.208.128.82 or host 173.208.131.178 or host 173.208.131.98 \
or host 173.208.141.154 or host 173.208.143.114 or host 173.208.143.122 \
or host 173.208.143.194 or host 173.208.143.90 or host 173.208.150.90 \
or host 173.208.154.90 or host 173.208.162.2 or host 173.208.163.178 \
or host 173.208.163.242 or host 173.212.214.194 or host 173.212.241.42 or host 173.212.241.50 or host 173.212.243.114 \
or host 173.83.26.26 or host 173.83.26.34 or host 174.139.250.66 or host 174.36.237.84 or host 204.12.192.250 \
or host 204.12.217.218 or host 204.12.217.250 or host 204.12.217.42 or host 204.12.217.98 or host 204.12.220.122 \
or host 204.12.237.202 or host 204.12.243.210 or host 204.12.243.34 or host 204.12.243.42 or host 204.12.243.58 \
or host 204.12.248.66 or host 204.45.118.202 or host 204.45.118.250 or host 204.45.119.10 or host 204.45.119.18 \
or host 204.45.119.2 or host 204.45.119.26 or host 204.45.119.34 or host 204.45.119.42 or host 204.45.119.50 \
or host 204.45.119.74 or host 204.45.119.82 or host 204.45.119.90 or host 204.45.121.130 or host 204.45.121.18 \
or host 204.45.121.34 or host 204.45.121.42 or host 204.45.121.50 or host 204.45.121.58 or host 206.217.206.8 \
or host 208.101.27.108 or host 208.101.27.44 or host 208.101.27.72 or host 208.110.71.58 or host 208.110.80.50 \
or host 208.110.82.186 or host 208.43.102.220 or host 208.43.157.96 or host 208.43.17.44 or host 208.43.18.12 \
or host 208.43.31.8 or host 208.43.40.148 or host 64.120.144.69 or host 64.120.149.117 or host 64.120.153.117 \
or host 64.191.18.149 or host 64.191.38.165 or host 64.191.53.37 or host 64.191.59.245 or host 64.22.109.222 \
or host 66.197.161.181 or host 66.197.251.69 or host 66.79.162.138 or host 66.79.162.86 or host 66.79.163.102 \
or host 66.96.214.53 or host 66.96.224.213 or host 67.228.206.92 or host 69.197.144.138 or host 69.197.158.242 \
or host 69.197.158.250 or host 69.197.161.34 or host 69.50.197.191 or host 72.26.196.194 or host 74.86.210.133 \
or host 74.86.210.134 or host 76.164.194.226 or host 85.17.200.13 or host 95.211.128.25 or host 96.0.203.106 \
or host 96.0.203.114 or host 96.0.203.122 or host 96.0.203.82 or host 96.0.203.90 or host 96.0.203.98 or host 96.31.81.44 \
or host 96.45.189.178 or host 96.9.169.53 or host 96.9.180.21 or host 96.9.182.101 or host 96.9.182.197 or host 96.9.183.149 \
or host 98.126.114.50 or host 98.126.42.26 or host 98.126.76.186 or host 98.126.77.2 or host 98.141.220.194 \
or host 98.141.220.226 -w /var/log/rustock.log &
O resultado será salvo no arquivo /var/log/rustock.log. Para ler este arquivo temos que usar o tcpdump e redirecionar a saída para um arquivo:
#tcpdump -r /var/log/rustock.log > /tmp/rustock.txt
Agora já podemos manipular as informações. Dando um cat no arquivo veja o que temos:
13:40:32.613458 IP 10.123.122.254.1436 > ..www: Flags [S], seq 3547421019, win 65535, options [mss 1460,nop,nop,sackOK], length 0
Precisamos filtrar o arquivo para termos só o que nos interessa, o IP. Para isso execute o comando abaixo:
#cat /tmp/rustock.txt | cut -f3 -d" " | cut -f1-4 -d.
Agora temos a lista dos IP's que estão tentando se conectar em um dos servidores do Rustock. Agora vamos usar o comando sort para que não apareça os IP's repetidos:
#cat /tmp/rustock.txt | cut -f3 -d" " | cut -f1-4 -d. | sort -u
Agora temos a lista dos IP's que deverão ser investigados.
Referencia:
(1) http://pt.scribd.com/doc/59395728/Battling-the-Rustock-Threat
Nenhum comentário:
Postar um comentário