Entire network trojanned? UDP Port 6666 connections

While analyzing a Wireshark capture, I noticed that a large majority of hosts on my network were making MANY UDP connections to port 6666. After a quick Google search, I learned this port is commonly used as backdoor Trojan. Also, all connections on this port were to destination ip 255.255.255.255 meaning the entire network. I’ve heard that port 6666 is a common IRC port, but no one on my network is using IRC. Any ideas?

Connections that never end…

Probably THE biggest annoyance about Scrapebox for me has been situations where a job refuses to end (even when you press stop) due to open connections.  This monster rears its head in several places, but most often when running Check Links on a bunch of domains.

I’ve tried everything…
  – reducing the number of connections to a crawl
  – waiting for hours (and even a full day)
  – hitting stop and waiting
  – Shutting down Scrapebox and trying it again (and again and again)
  – Writing the vendor
…and more

Nothing seems to help.

Right now, for example, I have a list of about 100,000 urls that I want to link check. The first pass made it through just fine. It found about 7000 successful links.  I’ve found that I often need to run several more passes to check all the urls so I ran it a second time (with 150 threads)…it choked up leaving me 113 open threads when returned a few hours later.  I tried it again…same result.  I tried it again with 90 threads…same result.  I’m in the middle of some other gymnastics at the moment.

I wrote the creator a few months ago and his answer really didn’t seem satisfying….and could be summed up as “Yeah, there’s no way to close down threads that remain open on Windows”.  First and foremost, that seems almost inconceivable. Surely there is some software way to simply terminate threads (especially after a period of time or after hitting stop).  I can’t imagine that Windows forces threads to remain open….indefinitely.  But….the second issue is….  Even if the above were true and there’s no way to force threads to close, I should at least be able to regain control of Scrapebox so I can save the data that just took hours to collect.  I mean, when harvesting I’m able to save the URLs on a periodic basis (like every 10,000 for example)….and there’s always the files in the /Harvester_Sessions directory.  With Check Link, though, it seems like I cannot get any such files.  If the Active Threads ceases (as it often does), I’m just out of luck.  I cannot get a listing of my successful/unsuccessful links.  I simply have to start over…and over…and over….sometimes finally taking the time to split up my large lists and processing them in groups of 10,000 instead of 100,000+.  This is very time consuming.

Surely there is some reasonable, better way?  Maybe I’m still not getting something fundamental?

Again, it’s inconceivable to me that simply hitting stop doesn’t…..uhmmm….stop.  It’s inconceivable that Windows forces the threads to remain open with no open of forcibly closing them and even more inconceivable that I cannot save my data when this happens (and have to simply shutdown the Scrapebox task).

So that’s my rant today as I’m now experimenting with the forty-leventh method that I’m hoping my skirt this issue Smile

Any thoughts, ideas? Smile

I want to delete connections in tnsnames.ora. I need to figure out which ones are currently in use, so that I don’t delete them mistakenly


I’m using Oracle 12c in Debian 8 (on a vm)

This question is for educational purposes only. I’m not using any production servers, so anything that you can tell me won’t have consecuences

To start with, I found this link to delete registers in tnsnames.ora. I didn’t test it yet because first, I needed to know if there were active connections in the database using the information of the tnsnames.ora.
I’m asking here because I found no way of doing this, but it may be possible to do it.

For you to know, I’m using this command for connecting to the database, so that I clearly specify a tnsname

rlwrap sqlplus sys as sysdba@tnstest 

The contents of my tnsnames.ora are the following

tnstest =   (DESCRIPTION =     (ADDRESS_LIST =       (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1539))     )     (CONNECT_DATA =       (SERVER = DEDICATED)       (SERVICE_NAME = orcl)     )   ) 

But, if I want to be 100% sure that this is working, I use this command

tnsping tnstest 

Which results are…

TNS Ping Utility for Linux: Version 12.2.0.1.0 - Production on 28-JAN-2020 23:51:38  Copyright (c) 1997, 2016, Oracle.  All rights reserved.  Used parameter files: /opt/oracle/product/12.1.0.2/dbhome_1/network/admin/sqlnet.ora   Used TNSNAMES adapter to resolve the alias Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1539))) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = orcl))) OK (0 msec) 

After all of this I know that my configuration is working, I’m using a register in tnsnames.ora for the connection, but I don’t know a way of checking…
“Hey, now that I’m connected, I want to know which register I used from the tnsnames file for connecting, if I used that file of course”

Is there any possibility that I could get this information?

Well, my following attempts of trying to figure this out, were checking the v$ session view, if there was any field that I could use to get this information, but I couldn’t find one.

After all of this, ultimately, I came here for asking. I don’t know what else to try nor I have more ideas of what should I do next.

P.S: there’s a chance that this problem is impossible to solve, because this is task I’m doing due to I’m a student of sysadmin, and our teacher intentionally added unsolvable questions.
Even so, I still think there might be a solution for this particular case

Connections that never end…

Probably THE biggest annoyance about Scrapebox for me has been situations where a job refuses to end (even when you press stop) due to open connections.  This monster rears its head in several places, but most often when running Check Links on a bunch of domains.

I’ve tried everything…
  – reducing the number of connections to a crawl
  – waiting for hours (and even a full day)
  – hitting stop and waiting
  – Shutting down Scrapebox and trying it again (and again and again)
  – Writing the vendor
…and more

Nothing seems to help.

Right now, for example, I have a list of about 100,000 urls that I want to link check. The first pass made it through just fine. It found about 7000 successful links.  I’ve found that I often need to run several more passes to check all the urls so I ran it a second time (with 150 threads)…it choked up leaving me 113 open threads when returned a few hours later.  I tried it again…same result.  I tried it again with 90 threads…same result.  I’m in the middle of some other gymnastics at the moment.

I wrote the creator a few months ago and his answer really didn’t seem satisfying….and could be summed up as “Yeah, there’s no way to close down threads that remain open on Windows”.  First and foremost, that seems almost inconceivable. Surely there is some software way to simply terminate threads (especially after a period of time or after hitting stop).  I can’t imagine that Windows forces threads to remain open….indefinitely.  But….the second issue is….  Even if the above were true and there’s no way to force threads to close, I should at least be able to regain control of Scrapebox so I can save the data that just took hours to collect.  I mean, when harvesting I’m able to save the URLs on a periodic basis (like every 10,000 for example)….and there’s always the files in the /Harvester_Sessions directory.  With Check Link, though, it seems like I cannot get any such files.  If the Active Threads ceases (as it often does), I’m just out of luck.  I cannot get a listing of my successful/unsuccessful links.  I simply have to start over…and over…and over….sometimes finally taking the time to split up my large lists and processing them in groups of 10,000 instead of 100,000+.  This is very time consuming.

Surely there is some reasonable, better way?  Maybe I’m still not getting something fundamental?

Again, it’s inconceivable to me that simply hitting stop doesn’t…..uhmmm….stop.  It’s inconceivable that Windows forces the threads to remain open with no open of forcibly closing them and even more inconceivable that I cannot save my data when this happens (and have to simply shutdown the Scrapebox task).

So that’s my rant today as I’m now experimenting with the forty-leventh method that I’m hoping my skirt this issue Smile

Any thoughts, ideas? Smile

How to sniff direct websocket connection in android ( i.e. no HTTP Upgrade connections ) using BURP?

I’ve pentested a lot of websites and a few apps too but this app eludes them all. On the websites, when there’s a websocket upgrade the BURP proxy recognizes it and starts showing it in the websockets tab. Somewhat similar happens on the apps, but not on this one.

This app doesn’t do any such thing.

How this app works :

  1. Gets it’s websocket endpoints from a config, downloaded from a website. Then ‘mysteriously’ it makes a connection to the websocket server, which isn’t visible in the BURP proxy.

My Setup : 1. Rooted phone with frida running and objection framework for ssl unpinning ( although not needed here, as I am already able to see all the http(s) traffic from the app ).

FYI I’ve added my BURP cert as root authority in my android 7.0 phone.

I’ve also tried ‘invisible proxying’ ( not sure how it works ) didn’t work either.

Any ideas would help ?

Thanks.

Connecting clients with UDP and WebSocket connections

I’m in the process of making a physics intensive multiplayer game. Naturally I use a UDP to transfer packets regarding rigidbodies between client and an authoritative server.

However non-essential packets I’d prefer to use a more reliable connection like WebSockets. This would be for things like voice chat, text chat, scoreboard, etc. It also seems the be a nice approach to checking if the client is still connected and if not, stop sending it UDP packets.

I’m actually unable to find use cases of this dual connection approach online and I was wondering how this is typically handled in similar games. Is it very far fetched or unconventional?

Another question would be how far do I take relying on the WebSocket connection? Lets say for managing remaining bullets in a guns magazine, would it be better over UDP or WebSocket?

I feel like WebSockets would be best in this case because if the bullet was successfully spawned and the server needs to remove a bullet from the client’s gun’s magazine, if that packet doesn’t arrive at the client, then they shot a free bullet…

The UDP equivalent for this scenario would be to always send the client’s magazine state as packets and the client just updates it’s magazine whenever the packets get to them. My concern here is overloading the network traffic data that might not have even changed…

Server stops accepting connections after ~120,000 active on 18.04.3

I’m running a type of perf test where I have a simple TCP server with 4 IP addresses that is listening on a port and getting connections from several other computers on the local network. Everything works fine up to just under 120,000 active connections, clients are able to get messages from client and create new connections. At just under 120,000, new connections just stop appearing. There is no log activity on server and clients start getting timeouts after a bit. There is no firewall that would be getting in the way. I have tweaked a bunch of settings already:

/etc/sysctl.conf

net.core.netdev_max_backlog = 1000000  net.core.netdev_budget = 50000 net.core.netdev_budget_usecs = 5000  net.core.somaxconn = 1024000  net.core.rmem_default = 1048576 net.core.rmem_max = 16777216  net.core.wmem_default = 1048576 net.core.wmem_max = 16777216  net.core.optmem_max = 65536  net.ipv4.tcp_rmem = 4096 1048576 2097152 net.ipv4.tcp_wmem = 4096 65536 16777216 net.ipv4.udp_rmem_min = 8192 net.ipv4.udp_wmem_min = 8192 net.ipv4.tcp_fastopen = 3 net.ipv4.tcp_max_syn_backlog = 3000000 net.ipv4.tcp_max_tw_buckets = 2000000  net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_fin_timeout = 10 net.ipv4.tcp_slow_start_after_idle = 0 net.ipv4.tcp_keepalive_time = 60 net.ipv4.tcp_keepalive_intvl = 10 net.ipv4.tcp_keepalive_probes = 6 net.ipv4.tcp_mtu_probing = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_rfc1337 = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter = 1 

/etc/security/limits.conf

* soft nofile 6553600 * hard nofile 6553600 

The limits are intentionally completely overkill because it’s just a test. Are there some other settings I am missing that would enable more connections? Neither the CPU nor RAM is being stressed so I would like to keep pushing the hardware. Server and clients are all running on AWS EC2 t3a.xlarge instances, if that makes any difference.