RE: Port 111 Traffic

From: Michael Ward (Mwardat_private)
Date: Wed Dec 12 2001 - 07:22:13 PST

Next message: Nick Elliott: "RE: Internal Machine making many attempts to connect to Internet on 137"

Previous message: Markus Friedl: "Re: Voluminous SSHd scanning; possible worm activity?"
Maybe in reply to: Tim Brown: "Port 111 Traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Tim,

There are several well known exploits aimed at port 111.  Take a look
and see if any of these fit your scenario.

CA-2001-05, Exploitation of snmpXdmid
IN-2001-01, Widespread Compromises via "ramen" Toolkit
IN-2000-10, Widespread Exploitation of rcp.statd and wu-ftpd
Vulnerabilities
CA-2000-17, Input Validation Problem in rpc.statd
CA-1999-16, Buffer Overflow in Sun Solstice AdminSuite Daemon sadmind
CA-1999-12, Buffer overflow in amd
CA-1999-08, Buffer overflow in rpc.cmsd
CA-1999-05, Vulnerability in statd exposes vulnerability in automountd
CA-1998-12, Remotely Exploitable Buffer Overflow Vulnerability in mountd
CA-1998-11, Vulnerability in ToolTalk RPC service
CA-2001-11, sadmind/IIS Worm

More info can be found here.
http://www.cert.org/current/current_activity.html#ssh

-Mike

-----Original Message-----
From: Tim Brown [mailto:tim.brownat_private]
Sent: Tuesday, December 11, 2001 4:21 PM
To: INCIDENTSat_private
Subject: Re: Port 111 Traffic


To clarify- the zeros in the destination address are actually there. 
 Only the first two octets of the source have been changed to nnn.nnn.

Tim Brown wrote:

> This information was generated by snoop on Solaris.  Any ideas?  See 
> bottom of message for a single verbose packet capture.
> nnn.nnn = the not so innocent IP.
>
> nnn.nnn.213.13 -> 0.47.0.205   TCP D=111 S=33399 Syn Seq=2559250306 
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.204   TCP D=111 S=33398 Syn Seq=2559160482 
> Len=0 Win=8760
> nnn.nnn.213.11 -> 0.181.0.37   TCP D=111 S=59773 Rst Seq=2178778586 
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.207   TCP D=111 S=33401 Syn Seq=2559361718 
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.208   TCP D=111 S=33402 Syn Seq=2559390097 
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.209   TCP D=111 S=33403 Syn Seq=2559476442 
> Len=0 Win=8760
> nnn.nnn.213.11 -> 0.181.0.38   TCP D=111 S=59774 Rst Seq=2178892699 
> Len=0 Win=8760
> nnn.nnn.213.11 -> 0.181.0.42   TCP D=111 S=59778 Rst Seq=2179194372 
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.215   TCP D=111 S=33409 Syn Seq=2559700481 
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.214   TCP D=111 S=33408 Syn Seq=2559656916 
> Len=0 Win=8760
> nnn.nnn.213.11 -> 0.181.0.43   TCP D=111 S=59779 Rst Seq=2179223246 
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.216   TCP D=111 S=33410 Syn Seq=2559772250 
> Len=0 Win=8760
> nnn.nnn.213.11 -> 0.181.0.44   TCP D=111 S=59780 Rst Seq=2179342238 
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.218   TCP D=111 S=33412 Syn Seq=2559854823 
> Len=0 Win=8760
> nnn.nnn.213.11 -> 0.181.0.45   TCP D=111 S=59781 Rst Seq=2179387236 
> Len=0 Win=8760
> nnn.nnn.213.11 -> 0.181.0.46   TCP D=111 S=59782 Rst Seq=2179459169 
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.219   TCP D=111 S=33413 Syn Seq=2559861661 
> Len=0 Win=8760
> nnn.nnn.213.11 -> 0.181.0.48   TCP D=111 S=59784 Rst Seq=2179596754 
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.221   TCP D=111 S=33415 Syn Seq=2559922066 
> Len=0 Win=8760
> nnn.nnn.213.11 -> 0.181.0.50   TCP D=111 S=59786 Rst Seq=2179755204 
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.226   TCP D=111 S=33420 Syn Seq=2560346165 
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.227   TCP D=111 S=33421 Syn Seq=2560403095 
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.235   TCP D=111 S=33429 Syn Seq=2561000060 
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.233   TCP D=111 S=33427 Syn Seq=2560897528 
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.237   TCP D=111 S=33431 Syn Seq=2561153509 
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.238   TCP D=111 S=33432 Syn Seq=2561195283 
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.240   TCP D=111 S=33434 Syn Seq=2561332283 
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.242   TCP D=111 S=33436 Syn Seq=2561468508 
> Len=0 Win=8760
> nnn.nnn.213.32 -> 0.123.0.55   TCP D=111 S=56202 Rst Seq=240026718 
> Len=0 Win=8760
> nnn.nnn.213.32 -> 0.123.0.57   TCP D=111 S=56204 Rst Seq=240210073 
> Len=0 Win=8760
> nnn.nnn.213.32 -> 0.123.0.58   TCP D=111 S=56205 Rst Seq=240300794 
> Len=0 Win=8760
> nnn.nnn.213.32 -> 0.123.0.59   TCP D=111 S=56206 Rst Seq=240409147 
> Len=0 Win=8760
> nnn.nnn.213.32 -> 0.123.0.60   TCP D=111 S=56207 Rst Seq=240429542 
> Len=0 Win=8760
> nnn.nnn.213.32 -> 0.123.0.61   TCP D=111 S=56208 Rst Seq=240433968 
> Len=0 Win=8760
> nnn.nnn.213.32 -> 0.123.0.62   TCP D=111 S=56209 Rst Seq=240477791 
> Len=0 Win=8760
> nnn.nnn.213.32 -> 0.123.0.65   TCP D=111 S=56212 Rst Seq=240763588 
> Len=0 Win=8760
> nnn.nnn.213.32 -> 0.123.0.72   TCP D=111 S=56219 Rst Seq=241169371 
> Len=0 Win=8760
>
> Verbose Output of one packet:
>
> ETHER:  ----- Ether Header -----
> ETHER: ETHER:  Packet 6 arrived at 14:48:18.30
> ETHER:  Packet size = 60 bytes
> ETHER:  Destination = 0:10:7:dc:38:60,
> ETHER:  Source      = 0:e0:3n:nn:nn:nn,
> ETHER:  Ethertype = 0800 (IP)
> ETHER: IP:   ----- IP Header -----
> IP:  IP:   Version = 4
> IP:   Header length = 20 bytes
> IP:   Type of service = 0x00
> IP:         xxx. .... = 0 (precedence)
> IP:         ...0 .... = normal delay
> IP:         .... 0... = normal throughput
> IP:         .... .0.. = normal reliability
> IP:   Total length = 40 bytes
> IP:   Identification = 7932
> IP:   Flags = 0x4
> IP:         .1.. .... = do not fragment
> IP:         ..0. .... = last fragment
> IP:   Fragment offset = 0 bytes
> IP:   Time to live = 251 seconds/hops
> IP:   Protocol = 6 (TCP)
> IP:   Header checksum = f5c2
> IP:   Source address = nnn.nnn.213.11, nnn.nnn.213.11
> IP:   Destination address = 0.57.0.36, 0.57.0.36
> IP:   No options
> IP:  TCP:  ----- TCP Header -----
> TCP: TCP:  Source port = 33596
> TCP:  Destination port = 111
> TCP:  Sequence number = 3073870737
> TCP:  Acknowledgement number = 0
> TCP:  Data offset = 20 bytes
> TCP:  Flags = 0x04
> TCP:        ..0. .... = No urgent pointer
> TCP:        ...0 .... = No acknowledgement
> TCP:        .... 0... = No push
> TCP:        .... .1.. = Reset
> TCP:        .... ..0. = No Syn
> TCP:        .... ...0 = No Fin
> TCP:  Window = 8760
> TCP:  Checksum = 0x5c23
> TCP:  Urgent pointer = 0
> TCP:  No options
> TCP:


-- 

Tim





------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Nick Elliott: "RE: Internal Machine making many attempts to connect to Internet on 137"
Previous message: Markus Friedl: "Re: Voluminous SSHd scanning; possible worm activity?"
Maybe in reply to: Tim Brown: "Port 111 Traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 12 2001 - 11:15:33 PST