Bah.... Problem solved.... see that MHSS.exe file in the Statistics directory? That's LiveStats, and it was misconfigured to do a reverse WINS and DNS lookup.... Thanks all.... <sigh> I was hoping to do some forensics...<grin> Seamus Hartmann -----Original Message----- From: Portnoy, Gary [mailto:gportnoyat_private] Sent: Tuesday, December 11, 2001 4:21 PM To: 'Seamus Hartmann '; 'Incidents at Security Focus (incidentsat_private) ' Subject: RE: Internal Machine making many attempts to connect to Internet on 1 37 I wouldn't be so quick to cry foul. The connections to port 137 seem to be just regular NetBios name requests. Windows tries to figure out what is the name of the machine on the other end of some connection, and failing to find it in DNS, it does a NetBios lookup. The question you want to ask is why is it doing all these lookups. It could be that you are running some sort of webserver, it looks like you have port 80 listening, and are allowing it inbound on your PIX. This server may be keeping some sort of logs. Can those IPs have legitimate reasons for contacting your machine? Also don't forget that there is still a lot of CodeRed/Nimda going around, and the machines contacting yours on port 80 could be trying to spread worms. Your webserver still tries dutifully to keep logs and resolve names. I could be completely off base, but I would first try to see if you can somehow change the log format for your HTTP server, to exclude hostname (instead log the IP address), and see if the problem goes away. -Gary- -----Original Message----- From: Seamus Hartmann To: Incidents at Security Focus (incidentsat_private) Sent: 12/11/01 2:48 PM Subject: Internal Machine making many attempts to connect to Internet on 1 37 Hello, This is my first post here, so bear with me. I'm looking for information about an exploit that starts searching for Netbios shares across random IP addresses. I have the following Code Red/Code Red II/Nimbda Policy-Map on my external router since August 17th, and this machine was installed post August 17th. http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml This is an internal Windows NT 4.0 machine, patched sp6a and HFNETCHK states the following ---------------------------- SERVER01 ---------------------------- * WINDOWS NT4SERVER SP6a NOTE MS98-001 Q169556 NOTE MS99-036 Q155197 NOTE MS99-041 Q242294 NOTE MS01-022 Q296441 Patch NOT Found MS01-041 Q299444 Patch NOT Found MS01-048 Q305399 * Internet Information Server 4.0 NOTE MS99-025 Q184375 NOTE MS00-025 Q259799 NOTE MS00-028 Q260267 Patch NOT Found MS01-044 Q301625 * Internet Explorer 5.5 Gold Patch NOT Found MS00-093 Q279328 Patch NOT Found MS00-055 Q269368 Norton Corporate Antivirus 7.1 running with 12/6/01 virus data. Full System virus scan comes up clean. Fport reports the following strangeness.... look at all that stuff System is listening on! FPort v1.33 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com Pid Process Port Proto Path 2 System -> 80 TCP 168 MHSS -> 80 TCP D:\STATISTICSSERVER\MHSS.EXE 95 RpcSs -> 135 TCP C:\WINNT\system32\RpcSs.exe 2 System -> 135 TCP 2 System -> 139 TCP 95 RpcSs -> 1025 TCP C:\WINNT\system32\RpcSs.exe 2 System -> 1025 TCP 102 msdtc -> 1026 TCP C:\WINNT\System32\msdtc.exe 2 System -> 1026 TCP 2 System -> 1027 TCP 102 msdtc -> 1027 TCP C:\WINNT\System32\msdtc.exe 2 System -> 1033 TCP 197 MSTask -> 1033 TCP C:\WINNT\system32\MSTask.exe 197 MSTask -> 1034 TCP C:\WINNT\system32\MSTask.exe 2 System -> 1034 TCP 95 RpcSs -> 1038 TCP C:\WINNT\system32\RpcSs.exe 2 System -> 1038 TCP 2 System -> 1083 TCP 2 System -> 1416 TCP 2 System -> 1709 TCP 2 System -> 1713 TCP 2 System -> 1724 TCP 2 System -> 1725 TCP 2 System -> 1744 TCP 2 System -> 1745 TCP 2 System -> 1747 TCP 2 System -> 1749 TCP 2 System -> 1766 TCP 2 System -> 1786 TCP 2 System -> 1801 TCP 2 System -> 1812 TCP 2 System -> 1915 TCP 2 System -> 1962 TCP 2 System -> 2067 TCP 298 java -> 2067 TCP C:\SITESC~1\java\bin\java.exe 2 System -> 2212 TCP 2 System -> 2233 TCP 2 System -> 2301 TCP 216 Surveyor -> 2301 TCP C:\compaq\survey\Surveyor.EXE 2 System -> 2351 TCP 2 System -> 2570 TCP 2 System -> 2604 TCP 2 System -> 2617 TCP 2 System -> 2654 TCP 2 System -> 3072 TCP 2 System -> 3140 TCP 2 System -> 3145 TCP 2 System -> 3146 TCP 2 System -> 3149 TCP 2 System -> 3152 TCP 2 System -> 3153 TCP 2 System -> 3154 TCP 2 System -> 3155 TCP 2 System -> 3159 TCP 2 System -> 3167 TCP 2 System -> 3200 TCP 2 System -> 3204 TCP 2 System -> 3229 TCP 2 System -> 3232 TCP 2 System -> 3235 TCP 2 System -> 3240 TCP 2 System -> 3244 TCP 2 System -> 3249 TCP 2 System -> 3260 TCP 2 System -> 3271 TCP 2 System -> 3276 TCP 2 System -> 3277 TCP 2 System -> 3301 TCP 2 System -> 3306 TCP 2 System -> 3313 TCP 2 System -> 3320 TCP 2 System -> 3322 TCP 2 System -> 3325 TCP 2 System -> 3328 TCP 2 System -> 3340 TCP 2 System -> 3374 TCP 2 System -> 3441 TCP 2 System -> 3473 TCP 2 System -> 3497 TCP 2 System -> 3498 TCP 2 System -> 3504 TCP 2 System -> 3513 TCP 2 System -> 3526 TCP 2 System -> 3529 TCP 2 System -> 3579 TCP 2 System -> 3610 TCP 2 System -> 3627 TCP 2 System -> 3684 TCP 2 System -> 3739 TCP 2 System -> 3746 TCP 2 System -> 4000 TCP 2 System -> 4052 TCP 2 System -> 4150 TCP 2 System -> 4598 TCP 2 System -> 4859 TCP 2 System -> 4868 TCP 2 System -> 4886 TCP 168 MHSS -> 4886 TCP D:\STATISTICSSERVER\MHSS.EXE 2 System -> 4993 TCP 2 System -> 8888 TCP 298 java -> 8888 TCP C:\SITESC~1\java\bin\java.exe 291 CPQWMGMT -> 49400 TCP C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE 2 System -> 49400 TCP 95 RpcSs -> 135 UDP C:\WINNT\system32\RpcSs.exe 2 System -> 135 UDP 2 System -> 137 UDP 2 System -> 138 UDP 2 System -> 161 UDP 212 snmp -> 161 UDP C:\WINNT\System32\snmp.exe 2 System -> 1035 UDP 212 snmp -> 1035 UDP C:\WINNT\System32\snmp.exe 2 System -> 1036 UDP 212 snmp -> 1036 UDP C:\WINNT\System32\snmp.exe 2 System -> 1750 UDP 417 iexplore -> 1750 UDP C:\PROGRA~1\Plus!\MICROS~1\iexplore.exe SFind (another fine Foundstone tool) finds NO streamed files on the system. Firewall (Cisco PIX 520 running 6.1.1) holes open to this box are as follows. PIX-6.1.1# sh conduit server.ip.address.here conduit permit icmp host server.ip.address.here any echo-reply (hitcnt=695) conduit permit icmp host server.ip.address.here any information-reply (hitcnt=0) conduit permit icmp host server.ip.address.here any time-exceeded (hitcnt=175) conduit permit tcp host server.ip.address.here eq www any (hitcnt=3649) conduit permit icmp host server.ip.address.here any (hitcnt=31) PIX-6.1.1# IP Auditing turned on at the PIX, and log/drop/reset for attacks. Edge Router ACL's catching outgoing attempts for Netbios Syslog logging: enabled (0 messages dropped, 3 messages rate-limited, 0 flushes, 0 overruns) Console logging: level informational, 20350 messages logged Monitor logging: level debugging, 0 messages logged Buffer logging: level debugging, 20365 messages logged Logging Exception size (8192 bytes) Trap logging: level informational, 20263 message lines logged Log Buffer (8192 bytes): Dec 11 12:45:50: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 205.188.208.168(137), 2 packets Dec 11 12:45:53: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 208.12.66.194(137), 2 packets Dec 11 12:45:57: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 205.188.208.103(137), 2 packets Dec 11 12:46:06: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 205.188.208.169(137), 2 packets Dec 11 12:46:11: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 205.188.208.139(137), 2 packets Dec 11 12:46:20: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 204.146.85.150(137), 2 packets Dec 11 12:46:24: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 63.225.78.198(137), 2 packets Dec 11 12:46:29: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 163.191.134.150(137), 2 packets Dec 11 12:46:42: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 63.96.200.5(137), 2 packets Dec 11 12:46:47: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 152.163.201.192(137), 2 packets Dec 11 12:46:56: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 152.163.189.65(137), 2 packets Dec 11 12:47:00: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 63.49.226.31(137), 2 packets Dec 11 12:47:05: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 139.67.9.129(137), 2 packets Dec 11 12:47:14: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 206.180.109.14(137), 2 packets Dec 11 12:47:18: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 24.214.50.228(137), 2 packets Dec 11 12:47:23: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 205.188.209.166(137), 2 packets Dec 11 12:47:29: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 198.185.205.177(137), 2 packets Dec 11 12:47:32: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 24.49.20.122(137), 2 packets Dec 11 12:47:35: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 65.202.66.10(137), 2 packets Dec 11 12:47:41: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 165.89.84.242(137), 2 packets Dec 11 12:47:45: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 172.142.196.127(137), 2 packets Dec 11 12:47:49: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 64.12.105.31(137), 2 packets Dec 11 12:47:54: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 63.149.92.4(137), 2 packets Dec 11 12:47:57: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 24.4.252.110(137), 2 packets Dec 11 12:48:03: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 24.4.252.111(137), 2 packets Dec 11 12:48:08: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 205.188.199.167(137), 2 packets Dec 11 12:48:12: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 205.188.209.12(137), 2 packets Dec 11 12:48:17: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 63.208.128.70(137), 2 packets Dec 11 12:48:26: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 139.147.230.38(137), 2 packets Dec 11 12:48:30: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 131.124.100.124(137), 2 packets Dec 11 12:48:39: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 12.82.137.160(137), 2 packets Dec 11 12:48:44: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 66.57.73.140(137), 2 packets Dec 11 12:48:47: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 24.29.27.66(137), 2 packets Dec 11 12:48:53: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 129.130.5.39(137), 2 packets Dec 11 12:48:57: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 198.108.17.232(137), 2 packets Dec 11 12:49:10: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 216.132.160.66(137), 2 packets Dec 11 12:49:11: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 24.4.252.249(137), 2 packets Dec 11 12:49:15: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 207.50.68.2(137), 2 packets Dec 11 12:49:21: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 207.16.136.22(137), 2 packets Dec 11 12:49:24: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 208.242.197.6(137), 2 packets Dec 11 12:49:27: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 141.153.178.100(137), 2 packets Dec 11 12:49:33: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 209.130.138.227(137), 5 packets Dec 11 12:49:35: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 64.12.96.8(137), 2 packets Dec 11 12:49:38: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 64.12.96.10(137), 2 packets Dec 11 12:49:47: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 24.4.255.93(137), 2 packets Dec 11 12:49:51: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 24.4.255.92(137), 2 packets Dec 11 12:49:57: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 216.230.74.226(137), 2 packets Dec 11 12:50:00: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 168.26.223.33(137), 2 packets Dec 11 12:50:07: %SEC-6-IPACCESSLOGP: list 101 denied udp server.ip.address.here(137) -> 167.1.102.100(137), 2 packets Edge-CiscoRouter# Anyone seen this behavior before? Any suggestions? I am going to flush and fill, but I'd like to learn something from the issue, rather than just have it be an exercise in the format command! Thanks. Seamus Hartmann Senior Network Engineer Fuji Film eSystems ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 11 2001 - 18:45:35 PST