We've observed two disparate clients apparently rooted (both are Win2K I
believe), being used to packet flood a variety of Microsoft sites (msn.com,
hotmail.com and microsoft.com itself).
Just a few seconds of IP accounting showed:
Destination Packets Bytes
64.4.32.251 14201 20940508
207.68.171.254 11862 17764328
64.4.32.1 12142 18184104
207.46.197.102 59698 89401960
These clients are on very different CIDR blocks (from the first octet). We
don't have any further information at this time, other than one client
saturated their T1 and the other saturated a 10Mb/s connection.
I haven't observed any noticeable impacts to the microsoft sites being
attacked. We have been able to track back the activity on MRTG graphs to
last Thurs for both clients. We investigated the traffic volume the first
day it appeared and at that time saw what appeared to be an attack against
two hosts in .fr and one in .de. The client assured us at this time it was
legitimate traffic.
A port scan of one of the infected hosts shows:
7 Echo
9 Discard
13 Daytime
17 Quote of the Day
19 Character Generator
21 File Transfer Protocol [Control]
25 Simple Mail Transfer
80 World Wide Web HTTP
135 DCE endpoint resolution
139 NETBIOS Session Service
443 https MCom
445 Microsoft-DS
548 AFP over TCP
1025 network blackjack
1026
1027 ICQ?
1433 Microsoft-SQL-Server
5631 pcANYWHEREdata
The client claims that they are not running Appletalk (548) but I'm not sure
whether to believe. We haven't been able to get console access to that
machine to do any further investigation (but have blocked it upstream). Of
the above services, most look legit from what I can tell with the exception
of 548 and 1025-1027
Mike
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 29 2002 - 15:36:11 PST