Re: Strange traffic...

From: Mark Tinberg (tinbergat_private)
Date: Fri Jan 11 2002 - 20:08:17 PST

  • Next message: Chester Jankowski: "nasty tripwire report"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    On Fri, 11 Jan 2002, John Oliver wrote:
    
    > I noticed one of my clients' machines seeing a lot more traffic than
    > normal.  tcpdump on the firewall got me stuff like:
    >
    > 13:27:20.932382 eth0 < skurup.datlab.bth.se.3509 > hostx.4059: .
    > 487424:488884(1460) ack 1 win 17520 (DF)
    
    [..snip..]
    
    > nmap for hostx says:
    >
    > Starting nmap V. 2.53 by fyodorat_private ( www.insecure.org/nmap/ )
    >  Interesting ports on hostx (www.xxx.yyy.zzz):
    > (The 65512 ports scanned but not shown below are in state: closed)
    > Port       State       Service
    > 21/tcp     open        ftp
    > 80/tcp     open        http
    > 99/tcp     open        metagram
    > 135/tcp    open        loc-srv
    > 139/tcp    open        netbios-ssn
    > 443/tcp    open        https
    > 808/tcp    open        unknown
    > 881/tcp    open        unknown
    > 1029/tcp   open        unknown
    > 1081/tcp   open        unknown
    > 1082/tcp   open        unknown
    > 1083/tcp   open        ansoft-lm-1
    > 1433/tcp   open        ms-sql-s
    > 1720/tcp   filtered    unknown
    > 2080/tcp   open        unknown
    > 2429/tcp   open        unknown
    > 4080/tcp   open        unknown
    > 4899/tcp   open        unknown
    > 5631/tcp   open        pcanywheredata
    > 31333/tcp  open        unknown
    > 44442/tcp  open        unknown
    > 44443/tcp  open        unknown
    > 65301/tcp  open        pcanywhere
    >
    > Nmap run completed -- 1 IP address (1 host up) scanned in 212 seconds
    >
    > Hostx is an NT Server 4.0 box, SP6a, running IIS, Cold Fusion, and some
    > other webhosting-related stuff.I'm not extremely familiar with NT, so
    > could use some thoughts here.
    >
    >
    
    The sending host is probably comprimised.  They seem to have PCAnywhere
    installed, but I would bet that one of the other ports is for annother
    piece of remote-controll software 8^).  Looks like it has scads of DCE-RPC
    services open and NetBIOS/SMB/CIFS, it's an easy target.
    
    - -- 
    Mark Tinberg <MTinbergat_private>
    Network Security Engineer, SecurePipe Inc.
    Remember:  Wherever you go, there you are!
    Key fingerprint = AF6B 0294 EE33 D802 F7A1  38A4 CF52 5FE0 7470 E5F7
    
    	Your daily fortune . . .
    
    You can rent this space for only $5 a week.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://quantumlab.net/pine_privacy_guard/
    
    iEYEARECAAYFAjw/trIACgkQz1Jf4HRw5ff7DACgvTjXleYPrllrhZrf1Tr/6EdJ
    mVYAmgPFM646GoRszA+j48Cqwbrf2a2l
    =7jNd
    -----END PGP SIGNATURE-----
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sat Jan 12 2002 - 15:50:57 PST