Re: Internal Machine making many attempts to connect to Internet on 137

From: Sam Evans (samat_private)
Date: Tue Dec 11 2001 - 16:59:18 PST

  • Next message: Jay D. Dyson: "RE: Voluminous SSHd scanning; possible worm activity?"

    I have seen something similar, where the machine was clean, but seeing a lot
    of netbios originate from the server.
    
    It turned out that Webtrends would do log statistics on the web server and
    when it could not resolve an IP Address using DNS, it would try to connect
    to that IP via netbios to get it's machine name.  It could also be some sort
    of built in NT/IIS feature that if you have name resolution turned on in the
    IIS logging (is there a feature to turn it on / off   ala Apache?) it may
    also do the above mentioned actions.
    
    Something to think about, as I noticed you are running some sort of
    statistics service on that machine.
    
    -Sam
    
    ----- Original Message -----
    From: "Seamus Hartmann" <shartmannat_private>
    To: <incidentsat_private>
    Sent: Tuesday, December 11, 2001 12:48 PM
    Subject: Internal Machine making many attempts to connect to Internet on 137
    
    
    > Hello,
    >
    > This is my first post here, so bear with me.
    >
    > I'm looking for information about an exploit that starts searching for
    > Netbios shares across random IP addresses. I have the following Code
    > Red/Code Red II/Nimbda Policy-Map on my external router since August 17th,
    > and this machine was installed post August 17th.
    >
    > http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml
    >
    > This is an internal Windows NT 4.0 machine, patched sp6a and HFNETCHK
    states
    > the following
    >
    > ----------------------------
    > SERVER01
    > ----------------------------
    >
    >
    >         * WINDOWS NT4SERVER SP6a
    >
    >         NOTE            MS98-001        Q169556
    >         NOTE            MS99-036        Q155197
    >         NOTE            MS99-041        Q242294
    >         NOTE            MS01-022        Q296441
    >         Patch NOT Found MS01-041        Q299444
    >         Patch NOT Found MS01-048        Q305399
    >
    >         * Internet Information Server 4.0
    >
    >         NOTE            MS99-025        Q184375
    >         NOTE            MS00-025        Q259799
    >         NOTE            MS00-028        Q260267
    >         Patch NOT Found MS01-044        Q301625
    >
    >         * Internet Explorer 5.5 Gold
    >
    >         Patch NOT Found MS00-093        Q279328
    >         Patch NOT Found MS00-055        Q269368
    >
    > Norton Corporate Antivirus 7.1 running with 12/6/01 virus data. Full
    System
    > virus scan comes up clean.
    >
    > Fport reports the following strangeness.... look at all that stuff System
    is
    > listening on!
    >
    > FPort v1.33 - TCP/IP Process to Port Mapper
    > Copyright 2000 by Foundstone, Inc.
    > http://www.foundstone.com
    >
    > Pid   Process            Port  Proto Path
    > 2     System         ->  80    TCP
    > 168   MHSS           ->  80    TCP   D:\STATISTICSSERVER\MHSS.EXE
    > 95    RpcSs          ->  135   TCP   C:\WINNT\system32\RpcSs.exe
    > 2     System         ->  135   TCP
    > 2     System         ->  139   TCP
    > 95    RpcSs          ->  1025  TCP   C:\WINNT\system32\RpcSs.exe
    > 2     System         ->  1025  TCP
    > 102   msdtc          ->  1026  TCP   C:\WINNT\System32\msdtc.exe
    > 2     System         ->  1026  TCP
    > 2     System         ->  1027  TCP
    > 102   msdtc          ->  1027  TCP   C:\WINNT\System32\msdtc.exe
    > 2     System         ->  1033  TCP
    > 197   MSTask         ->  1033  TCP   C:\WINNT\system32\MSTask.exe
    > 197   MSTask         ->  1034  TCP   C:\WINNT\system32\MSTask.exe
    > 2     System         ->  1034  TCP
    > 95    RpcSs          ->  1038  TCP   C:\WINNT\system32\RpcSs.exe
    > 2     System         ->  1038  TCP
    > 2     System         ->  1083  TCP
    > 2     System         ->  1416  TCP
    > 2     System         ->  1709  TCP
    > 2     System         ->  1713  TCP
    > 2     System         ->  1724  TCP
    > 2     System         ->  1725  TCP
    > 2     System         ->  1744  TCP
    > 2     System         ->  1745  TCP
    > 2     System         ->  1747  TCP
    > 2     System         ->  1749  TCP
    > 2     System         ->  1766  TCP
    > 2     System         ->  1786  TCP
    > 2     System         ->  1801  TCP
    > 2     System         ->  1812  TCP
    > 2     System         ->  1915  TCP
    > 2     System         ->  1962  TCP
    > 2     System         ->  2067  TCP
    > 298   java           ->  2067  TCP   C:\SITESC~1\java\bin\java.exe
    > 2     System         ->  2212  TCP
    > 2     System         ->  2233  TCP
    > 2     System         ->  2301  TCP
    > 216   Surveyor       ->  2301  TCP   C:\compaq\survey\Surveyor.EXE
    > 2     System         ->  2351  TCP
    > 2     System         ->  2570  TCP
    > 2     System         ->  2604  TCP
    > 2     System         ->  2617  TCP
    > 2     System         ->  2654  TCP
    > 2     System         ->  3072  TCP
    > 2     System         ->  3140  TCP
    > 2     System         ->  3145  TCP
    > 2     System         ->  3146  TCP
    > 2     System         ->  3149  TCP
    > 2     System         ->  3152  TCP
    > 2     System         ->  3153  TCP
    > 2     System         ->  3154  TCP
    > 2     System         ->  3155  TCP
    > 2     System         ->  3159  TCP
    > 2     System         ->  3167  TCP
    > 2     System         ->  3200  TCP
    > 2     System         ->  3204  TCP
    > 2     System         ->  3229  TCP
    > 2     System         ->  3232  TCP
    > 2     System         ->  3235  TCP
    > 2     System         ->  3240  TCP
    > 2     System         ->  3244  TCP
    > 2     System         ->  3249  TCP
    > 2     System         ->  3260  TCP
    > 2     System         ->  3271  TCP
    > 2     System         ->  3276  TCP
    > 2     System         ->  3277  TCP
    > 2     System         ->  3301  TCP
    > 2     System         ->  3306  TCP
    > 2     System         ->  3313  TCP
    > 2     System         ->  3320  TCP
    > 2     System         ->  3322  TCP
    > 2     System         ->  3325  TCP
    > 2     System         ->  3328  TCP
    > 2     System         ->  3340  TCP
    > 2     System         ->  3374  TCP
    > 2     System         ->  3441  TCP
    > 2     System         ->  3473  TCP
    > 2     System         ->  3497  TCP
    > 2     System         ->  3498  TCP
    > 2     System         ->  3504  TCP
    > 2     System         ->  3513  TCP
    > 2     System         ->  3526  TCP
    > 2     System         ->  3529  TCP
    > 2     System         ->  3579  TCP
    > 2     System         ->  3610  TCP
    > 2     System         ->  3627  TCP
    > 2     System         ->  3684  TCP
    > 2     System         ->  3739  TCP
    > 2     System         ->  3746  TCP
    > 2     System         ->  4000  TCP
    > 2     System         ->  4052  TCP
    > 2     System         ->  4150  TCP
    > 2     System         ->  4598  TCP
    > 2     System         ->  4859  TCP
    > 2     System         ->  4868  TCP
    > 2     System         ->  4886  TCP
    > 168   MHSS           ->  4886  TCP   D:\STATISTICSSERVER\MHSS.EXE
    > 2     System         ->  4993  TCP
    > 2     System         ->  8888  TCP
    > 298   java           ->  8888  TCP   C:\SITESC~1\java\bin\java.exe
    > 291   CPQWMGMT       ->  49400 TCP
    C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
    > 2     System         ->  49400 TCP
    > 95    RpcSs          ->  135   UDP   C:\WINNT\system32\RpcSs.exe
    > 2     System         ->  135   UDP
    > 2     System         ->  137   UDP
    > 2     System         ->  138   UDP
    > 2     System         ->  161   UDP
    > 212   snmp           ->  161   UDP   C:\WINNT\System32\snmp.exe
    > 2     System         ->  1035  UDP
    > 212   snmp           ->  1035  UDP   C:\WINNT\System32\snmp.exe
    > 2     System         ->  1036  UDP
    > 212   snmp           ->  1036  UDP   C:\WINNT\System32\snmp.exe
    > 2     System         ->  1750  UDP
    > 417   iexplore       ->  1750  UDP
    C:\PROGRA~1\Plus!\MICROS~1\iexplore.exe
    >
    > SFind (another fine Foundstone tool) finds NO streamed files on the
    system.
    >
    > Firewall (Cisco PIX 520 running 6.1.1) holes open to this box are as
    > follows.
    >
    > PIX-6.1.1# sh conduit server.ip.address.here
    > conduit permit icmp host server.ip.address.here any echo-reply
    (hitcnt=695)
    > conduit permit icmp host server.ip.address.here any information-reply
    > (hitcnt=0)
    > conduit permit icmp host server.ip.address.here any time-exceeded
    > (hitcnt=175)
    > conduit permit tcp host server.ip.address.here eq www any (hitcnt=3649)
    > conduit permit icmp host server.ip.address.here any (hitcnt=31)
    > PIX-6.1.1#
    >
    > IP Auditing turned on at the PIX, and log/drop/reset for attacks.
    >
    > Edge Router ACL's catching outgoing attempts for Netbios
    >
    > Syslog logging: enabled (0 messages dropped, 3 messages rate-limited, 0
    > flushes,
    >  0 overruns)
    >     Console logging: level informational, 20350 messages logged
    >     Monitor logging: level debugging, 0 messages logged
    >     Buffer logging: level debugging, 20365 messages logged
    >     Logging Exception size (8192 bytes)
    >     Trap logging: level informational, 20263 message lines logged
    >
    > Log Buffer (8192 bytes):
    > Dec 11 12:45:50: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 205.188.208.168(137), 2 packets
    > Dec 11 12:45:53: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 208.12.66.194(137), 2 packets
    > Dec 11 12:45:57: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 205.188.208.103(137), 2 packets
    > Dec 11 12:46:06: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 205.188.208.169(137), 2 packets
    > Dec 11 12:46:11: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 205.188.208.139(137), 2 packets
    > Dec 11 12:46:20: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 204.146.85.150(137), 2 packets
    > Dec 11 12:46:24: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 63.225.78.198(137), 2 packets
    > Dec 11 12:46:29: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 163.191.134.150(137), 2 packets
    > Dec 11 12:46:42: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 63.96.200.5(137), 2 packets
    > Dec 11 12:46:47: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 152.163.201.192(137), 2 packets
    > Dec 11 12:46:56: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 152.163.189.65(137), 2 packets
    > Dec 11 12:47:00: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 63.49.226.31(137), 2 packets
    > Dec 11 12:47:05: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 139.67.9.129(137), 2 packets
    > Dec 11 12:47:14: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 206.180.109.14(137), 2 packets
    > Dec 11 12:47:18: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 24.214.50.228(137), 2 packets
    > Dec 11 12:47:23: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 205.188.209.166(137), 2 packets
    > Dec 11 12:47:29: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 198.185.205.177(137), 2 packets
    > Dec 11 12:47:32: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 24.49.20.122(137), 2 packets
    > Dec 11 12:47:35: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 65.202.66.10(137), 2 packets
    > Dec 11 12:47:41: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 165.89.84.242(137), 2 packets
    > Dec 11 12:47:45: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 172.142.196.127(137), 2 packets
    > Dec 11 12:47:49: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 64.12.105.31(137), 2 packets
    > Dec 11 12:47:54: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 63.149.92.4(137), 2 packets
    > Dec 11 12:47:57: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 24.4.252.110(137), 2 packets
    > Dec 11 12:48:03: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 24.4.252.111(137), 2 packets
    > Dec 11 12:48:08: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 205.188.199.167(137), 2 packets
    > Dec 11 12:48:12: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 205.188.209.12(137), 2 packets
    > Dec 11 12:48:17: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 63.208.128.70(137), 2 packets
    > Dec 11 12:48:26: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 139.147.230.38(137), 2 packets
    > Dec 11 12:48:30: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 131.124.100.124(137), 2 packets
    > Dec 11 12:48:39: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 12.82.137.160(137), 2 packets
    > Dec 11 12:48:44: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 66.57.73.140(137), 2 packets
    > Dec 11 12:48:47: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 24.29.27.66(137), 2 packets
    > Dec 11 12:48:53: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 129.130.5.39(137), 2 packets
    > Dec 11 12:48:57: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 198.108.17.232(137), 2 packets
    > Dec 11 12:49:10: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 216.132.160.66(137), 2 packets
    > Dec 11 12:49:11: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 24.4.252.249(137), 2 packets
    > Dec 11 12:49:15: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 207.50.68.2(137), 2 packets
    > Dec 11 12:49:21: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 207.16.136.22(137), 2 packets
    > Dec 11 12:49:24: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 208.242.197.6(137), 2 packets
    > Dec 11 12:49:27: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 141.153.178.100(137), 2 packets
    > Dec 11 12:49:33: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 209.130.138.227(137), 5 packets
    > Dec 11 12:49:35: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 64.12.96.8(137), 2 packets
    > Dec 11 12:49:38: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 64.12.96.10(137), 2 packets
    > Dec 11 12:49:47: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 24.4.255.93(137), 2 packets
    > Dec 11 12:49:51: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 24.4.255.92(137), 2 packets
    > Dec 11 12:49:57: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 216.230.74.226(137), 2 packets
    > Dec 11 12:50:00: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 168.26.223.33(137), 2 packets
    > Dec 11 12:50:07: %SEC-6-IPACCESSLOGP: list 101 denied udp
    > server.ip.address.here(137) -> 167.1.102.100(137), 2 packets
    > Edge-CiscoRouter#
    >
    > Anyone seen this behavior before? Any suggestions? I am going to flush and
    > fill, but I'd like to learn something from the issue, rather than just
    have
    > it be an exercise in the format command!
    >
    > Thanks.
    >
    > Seamus Hartmann
    > Senior Network Engineer
    > Fuji Film eSystems
    >
    > --------------------------------------------------------------------------
    --
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    >
    >
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Dec 11 2001 - 18:50:15 PST