ET SHELLCODE Rothenburg Shellcode flood in log...

bmeeks

You appear to have a real mystery on your hands here. Perhaps the malware was not totally eradicated, or else you have other infected hosts that are quickly re-establishing the infection.

jagdtigger

I deleted the VM so in theory that purged every bit of it. No other windows machine is running ATM so IDK how it gets infected. Also no other alarm from suricata that could imply i have a compromised host.....

/EDIT
Suricata alert log:

08/23/2021-17:13:32.799962  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:13:32.963161  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:14:28.261221  [**] [1:2018373:5] ET EXPLOIT Malformed HeartBeat Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:23:41.258658  [**] [1:2018373:5] ET EXPLOIT Malformed HeartBeat Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:26:28.712807  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:38:58.081742  [**] [1:2014819:3] ET INFO Packed Executable Download [**] [Classification: Misc activity] [Priority: 3] {TCP} 31.46.5.80:80 -> 192.168.10.105:50603
08/23/2021-17:39:01.034485  [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.105:50615 -> 31.46.5.80:80
08/23/2021-17:39:01.734259  [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 31.46.5.18:80 -> 192.168.10.105:50614
08/23/2021-17:39:38.226988  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:39:49.058505  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:39:49.067656  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:39:49.086628  [**] [1:2017318:5] ET HUNTING SUSPICIOUS IRC - PRIVMSG *.(exe|tar|tgz|zip)  download command [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:40:00.414606  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:40:06.774212  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 192.168.10.38:47270 -> 10.125.210.23:3260
08/23/2021-17:40:56.119765  [**] [1:2018373:5] ET EXPLOIT Malformed HeartBeat Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:43:01.073513  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:43:01.096700  [**] [1:2017318:5] ET HUNTING SUSPICIOUS IRC - PRIVMSG *.(exe|tar|tgz|zip)  download command [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:43:03.541890  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:43:32.355036  [**] [1:2018959:4] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 205.185.216.10:80 -> 192.168.10.105:50673
08/23/2021-17:44:58.130630  [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 205.185.216.42:80 -> 192.168.10.105:50704
08/23/2021-17:44:58.270305  [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 205.185.216.10:80 -> 192.168.10.105:50705
08/23/2021-17:44:59.587323  [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 205.185.216.42:80 -> 192.168.10.105:50707

Dumped hex packet hex for matches:
https://www.dropbox.com/s/4u03qz1lsy39f2z/hex.txt?dl=0

(Nothing is on that pc so i dont mind.)

/EDIT3
Directly exposed services (to the internet i mean):
haproxy (running on pfsense)
minecraft server
apache webserver (exposed through haproxy, extremely limited setup, only capable of serving files)

Cool_Corona

@jagdtigger Stop the minecraft server and log again....

jagdtigger

@cool_corona
Will do, ill get back to this tomorrow. I think i have a pcengines apu board somewhere so i can basically use suricata to do the logging then use my switch to do the capture via port mirroring.

jagdtigger

Ill have to postpone to tomorrow, darned apu board is a real slowpoke when it comes to updating, installing stuff, and applying settings.....

jagdtigger

Okay, apu board in transparent bridge mode and suricata running on the bridge, straight between the proxmox minipc and switch. I set up an another minipc to dump the mirrored traffic to a hdd. Left the minecraft jail up just to see if it is really what is causing the issues. (Im not worried about leaving it up, the network it is on is specifically used for stuff that is exposed to the net, it is restricted from talking to anything besides 2 NAS, but those have proper FW rules in place to not expose the mgmt interface to this network .) Ill reinstall windows (in a new vm) and let it sit overnight while capturing traffic. (During install the VM wont have internet to get around the pesky ms account enforcement.)

jagdtigger

Okay, stopped capture and downloaded suricata alert log. Capture anded up 68 GB in size. I can already see the same alerts but i noticed something strange. They started showing up during install, when i have the virtual nic disconnected. The ISO is downloaded directly from MS so i dont think it could be infected...

jagdtigger

Still crawling through the capture concentrating on traffic from the VM, so far its only chatter between w10 and MS, plus the traffic resulting from installing ff and steam. No suspicious domain names or ip addresses so far.

Cool_Corona

@jagdtigger LEft over from the Solarwinds attack??

jagdtigger

@cool_corona
Which is lingering to this day in their iso downloads? (Im just a simple home user who likes to tinker with things so i never used their products.) So far the only thing that is out of place is in the traffic between proxmox and the nas hosting the iscsi share.... Could it be defender reading its database?

jagdtigger

Finished crawling though the capture, only looked at the VM's traffic. Nothing out of the ordinary. A lot of chatter between ms and windows, some from AVG (<i installed it after i seen the alerts in suricata) and the rest of the installed sw. Did not spot any suspicious IP or DNS name.... I still have the apu board inspecting the traffic bu8t since i shut off the vm the only warning it generates is triggered by proxmox looking for updates.

tomhumar

I see you're dealing with the Rothenburg shellcode flood in your logs. That sounds frustrating! Have you tried analyzing the logs to see if you can identify patterns or signatures specific to this shellcode? It might help you create filters or rules to block or mitigate the flood. Also, ensuring your system is up-to-date with patches and using strong passwords can help prevent future attacks. You can find more detailed guides and discussions about shellcode and security on https://guidedhacking.com/threads/how-to-find-shellcode-in-malware-memory.20588/ . They have a supportive community that can offer insights and advice based on their experiences.