I have seen something similar, where the machine was clean, but seeing a lot of netbios originate from the server. It turned out that Webtrends would do log statistics on the web server and when it could not resolve an IP Address using DNS, it would try to connect to that IP via netbios to get it's machine name. It could also be some sort of built in NT/IIS feature that if you have name resolution turned on in the IIS logging (is there a feature to turn it on / off ala Apache?) it may also do the above mentioned actions. Something to think about, as I noticed you are running some sort of statistics service on that machine. -Sam ----- Original Message ----- From: "Seamus Hartmann" <shartmannat_private> To: <incidentsat_private> Sent: Tuesday, December 11, 2001 12:48 PM Subject: Internal Machine making many attempts to connect to Internet on 137 > Hello, > > This is my first post here, so bear with me. > > I'm looking for information about an exploit that starts searching for > Netbios shares across random IP addresses. I have the following Code > Red/Code Red II/Nimbda Policy-Map on my external router since August 17th, > and this machine was installed post August 17th. > > http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml > > This is an internal Windows NT 4.0 machine, patched sp6a and HFNETCHK states > the following > > ---------------------------- > SERVER01 > ---------------------------- > > > * WINDOWS NT4SERVER SP6a > > NOTE MS98-001 Q169556 > NOTE MS99-036 Q155197 > NOTE MS99-041 Q242294 > NOTE MS01-022 Q296441 > Patch NOT Found MS01-041 Q299444 > Patch NOT Found MS01-048 Q305399 > > * Internet Information Server 4.0 > > NOTE MS99-025 Q184375 > NOTE MS00-025 Q259799 > NOTE MS00-028 Q260267 > Patch NOT Found MS01-044 Q301625 > > * Internet Explorer 5.5 Gold > > Patch NOT Found MS00-093 Q279328 > Patch NOT Found MS00-055 Q269368 > > Norton Corporate Antivirus 7.1 running with 12/6/01 virus data. Full System > virus scan comes up clean. > > Fport reports the following strangeness.... look at all that stuff System is > listening on! > > FPort v1.33 - TCP/IP Process to Port Mapper > Copyright 2000 by Foundstone, Inc. > http://www.foundstone.com > > Pid Process Port Proto Path > 2 System -> 80 TCP > 168 MHSS -> 80 TCP D:\STATISTICSSERVER\MHSS.EXE > 95 RpcSs -> 135 TCP C:\WINNT\system32\RpcSs.exe > 2 System -> 135 TCP > 2 System -> 139 TCP > 95 RpcSs -> 1025 TCP C:\WINNT\system32\RpcSs.exe > 2 System -> 1025 TCP > 102 msdtc -> 1026 TCP C:\WINNT\System32\msdtc.exe > 2 System -> 1026 TCP > 2 System -> 1027 TCP > 102 msdtc -> 1027 TCP C:\WINNT\System32\msdtc.exe > 2 System -> 1033 TCP > 197 MSTask -> 1033 TCP C:\WINNT\system32\MSTask.exe > 197 MSTask -> 1034 TCP C:\WINNT\system32\MSTask.exe > 2 System -> 1034 TCP > 95 RpcSs -> 1038 TCP C:\WINNT\system32\RpcSs.exe > 2 System -> 1038 TCP > 2 System -> 1083 TCP > 2 System -> 1416 TCP > 2 System -> 1709 TCP > 2 System -> 1713 TCP > 2 System -> 1724 TCP > 2 System -> 1725 TCP > 2 System -> 1744 TCP > 2 System -> 1745 TCP > 2 System -> 1747 TCP > 2 System -> 1749 TCP > 2 System -> 1766 TCP > 2 System -> 1786 TCP > 2 System -> 1801 TCP > 2 System -> 1812 TCP > 2 System -> 1915 TCP > 2 System -> 1962 TCP > 2 System -> 2067 TCP > 298 java -> 2067 TCP C:\SITESC~1\java\bin\java.exe > 2 System -> 2212 TCP > 2 System -> 2233 TCP > 2 System -> 2301 TCP > 216 Surveyor -> 2301 TCP C:\compaq\survey\Surveyor.EXE > 2 System -> 2351 TCP > 2 System -> 2570 TCP > 2 System -> 2604 TCP > 2 System -> 2617 TCP > 2 System -> 2654 TCP > 2 System -> 3072 TCP > 2 System -> 3140 TCP > 2 System -> 3145 TCP > 2 System -> 3146 TCP > 2 System -> 3149 TCP > 2 System -> 3152 TCP > 2 System -> 3153 TCP > 2 System -> 3154 TCP > 2 System -> 3155 TCP > 2 System -> 3159 TCP > 2 System -> 3167 TCP > 2 System -> 3200 TCP > 2 System -> 3204 TCP > 2 System -> 3229 TCP > 2 System -> 3232 TCP > 2 System -> 3235 TCP > 2 System -> 3240 TCP > 2 System -> 3244 TCP > 2 System -> 3249 TCP > 2 System -> 3260 TCP > 2 System -> 3271 TCP > 2 System -> 3276 TCP > 2 System -> 3277 TCP > 2 System -> 3301 TCP > 2 System -> 3306 TCP > 2 System -> 3313 TCP > 2 System -> 3320 TCP > 2 System -> 3322 TCP > 2 System -> 3325 TCP > 2 System -> 3328 TCP > 2 System -> 3340 TCP > 2 System -> 3374 TCP > 2 System -> 3441 TCP > 2 System -> 3473 TCP > 2 System -> 3497 TCP > 2 System -> 3498 TCP > 2 System -> 3504 TCP > 2 System -> 3513 TCP > 2 System -> 3526 TCP > 2 System -> 3529 TCP > 2 System -> 3579 TCP > 2 System -> 3610 TCP > 2 System -> 3627 TCP > 2 System -> 3684 TCP > 2 System -> 3739 TCP > 2 System -> 3746 TCP > 2 System -> 4000 TCP > 2 System -> 4052 TCP > 2 System -> 4150 TCP > 2 System -> 4598 TCP > 2 System -> 4859 TCP > 2 System -> 4868 TCP > 2 System -> 4886 TCP > 168 MHSS -> 4886 TCP D:\STATISTICSSERVER\MHSS.EXE > 2 System -> 4993 TCP > 2 System -> 8888 TCP > 298 java -> 8888 TCP C:\SITESC~1\java\bin\java.exe > 291 CPQWMGMT -> 49400 TCP C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE > 2 System -> 49400 TCP > 95 RpcSs -> 135 UDP C:\WINNT\system32\RpcSs.exe > 2 System -> 135 UDP > 2 System -> 137 UDP > 2 System -> 138 UDP > 2 System -> 161 UDP > 212 snmp -> 161 UDP C:\WINNT\System32\snmp.exe > 2 System -> 1035 UDP > 212 snmp -> 1035 UDP C:\WINNT\System32\snmp.exe > 2 System -> 1036 UDP > 212 snmp -> 1036 UDP C:\WINNT\System32\snmp.exe > 2 System -> 1750 UDP > 417 iexplore -> 1750 UDP C:\PROGRA~1\Plus!\MICROS~1\iexplore.exe > > SFind (another fine Foundstone tool) finds NO streamed files on the system. > > Firewall (Cisco PIX 520 running 6.1.1) holes open to this box are as > follows. > > PIX-6.1.1# sh conduit server.ip.address.here > conduit permit icmp host server.ip.address.here any echo-reply (hitcnt=695) > conduit permit icmp host server.ip.address.here any information-reply > (hitcnt=0) > conduit permit icmp host server.ip.address.here any time-exceeded > (hitcnt=175) > conduit permit tcp host server.ip.address.here eq www any (hitcnt=3649) > conduit permit icmp host server.ip.address.here any (hitcnt=31) > PIX-6.1.1# > > IP Auditing turned on at the PIX, and log/drop/reset for attacks. > > Edge Router ACL's catching outgoing attempts for Netbios > > Syslog logging: enabled (0 messages dropped, 3 messages rate-limited, 0 > flushes, > 0 overruns) > Console logging: level informational, 20350 messages logged > Monitor logging: level debugging, 0 messages logged > Buffer logging: level debugging, 20365 messages logged > Logging Exception size (8192 bytes) > Trap logging: level informational, 20263 message lines logged > > Log Buffer (8192 bytes): > Dec 11 12:45:50: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 205.188.208.168(137), 2 packets > Dec 11 12:45:53: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 208.12.66.194(137), 2 packets > Dec 11 12:45:57: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 205.188.208.103(137), 2 packets > Dec 11 12:46:06: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 205.188.208.169(137), 2 packets > Dec 11 12:46:11: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 205.188.208.139(137), 2 packets > Dec 11 12:46:20: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 204.146.85.150(137), 2 packets > Dec 11 12:46:24: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 63.225.78.198(137), 2 packets > Dec 11 12:46:29: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 163.191.134.150(137), 2 packets > Dec 11 12:46:42: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 63.96.200.5(137), 2 packets > Dec 11 12:46:47: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 152.163.201.192(137), 2 packets > Dec 11 12:46:56: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 152.163.189.65(137), 2 packets > Dec 11 12:47:00: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 63.49.226.31(137), 2 packets > Dec 11 12:47:05: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 139.67.9.129(137), 2 packets > Dec 11 12:47:14: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 206.180.109.14(137), 2 packets > Dec 11 12:47:18: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 24.214.50.228(137), 2 packets > Dec 11 12:47:23: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 205.188.209.166(137), 2 packets > Dec 11 12:47:29: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 198.185.205.177(137), 2 packets > Dec 11 12:47:32: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 24.49.20.122(137), 2 packets > Dec 11 12:47:35: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 65.202.66.10(137), 2 packets > Dec 11 12:47:41: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 165.89.84.242(137), 2 packets > Dec 11 12:47:45: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 172.142.196.127(137), 2 packets > Dec 11 12:47:49: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 64.12.105.31(137), 2 packets > Dec 11 12:47:54: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 63.149.92.4(137), 2 packets > Dec 11 12:47:57: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 24.4.252.110(137), 2 packets > Dec 11 12:48:03: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 24.4.252.111(137), 2 packets > Dec 11 12:48:08: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 205.188.199.167(137), 2 packets > Dec 11 12:48:12: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 205.188.209.12(137), 2 packets > Dec 11 12:48:17: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 63.208.128.70(137), 2 packets > Dec 11 12:48:26: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 139.147.230.38(137), 2 packets > Dec 11 12:48:30: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 131.124.100.124(137), 2 packets > Dec 11 12:48:39: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 12.82.137.160(137), 2 packets > Dec 11 12:48:44: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 66.57.73.140(137), 2 packets > Dec 11 12:48:47: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 24.29.27.66(137), 2 packets > Dec 11 12:48:53: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 129.130.5.39(137), 2 packets > Dec 11 12:48:57: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 198.108.17.232(137), 2 packets > Dec 11 12:49:10: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 216.132.160.66(137), 2 packets > Dec 11 12:49:11: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 24.4.252.249(137), 2 packets > Dec 11 12:49:15: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 207.50.68.2(137), 2 packets > Dec 11 12:49:21: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 207.16.136.22(137), 2 packets > Dec 11 12:49:24: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 208.242.197.6(137), 2 packets > Dec 11 12:49:27: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 141.153.178.100(137), 2 packets > Dec 11 12:49:33: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 209.130.138.227(137), 5 packets > Dec 11 12:49:35: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 64.12.96.8(137), 2 packets > Dec 11 12:49:38: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 64.12.96.10(137), 2 packets > Dec 11 12:49:47: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 24.4.255.93(137), 2 packets > Dec 11 12:49:51: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 24.4.255.92(137), 2 packets > Dec 11 12:49:57: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 216.230.74.226(137), 2 packets > Dec 11 12:50:00: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 168.26.223.33(137), 2 packets > Dec 11 12:50:07: %SEC-6-IPACCESSLOGP: list 101 denied udp > server.ip.address.here(137) -> 167.1.102.100(137), 2 packets > Edge-CiscoRouter# > > Anyone seen this behavior before? Any suggestions? I am going to flush and > fill, but I'd like to learn something from the issue, rather than just have > it be an exercise in the format command! > > Thanks. > > Seamus Hartmann > Senior Network Engineer > Fuji Film eSystems > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 11 2001 - 18:50:15 PST