I've noticed 1025 and 1026 open on some members of our Win2K fleet. 1026 is open on my own machine. Fport (www.foundstone.com) links 1026 to lsass.exe. Not sure why some have it and others don't, although my machine is running Server SP2. I've found a couple of machines with 1025 open, am looking into it. John Campbell, GCWN Information Security Engineer Washington School Information Processing Cooperative (WSIPC) E-mail: jcampbellat_private -----Original Message----- From: Mike Lewinski [mailto:mikeat_private] Sent: Tuesday, January 29, 2002 3:24 PM To: incidentsat_private Subject: DDoS to microsoft sites We've observed two disparate clients apparently rooted (both are Win2K I believe), being used to packet flood a variety of Microsoft sites (msn.com, hotmail.com and microsoft.com itself). Just a few seconds of IP accounting showed: Destination Packets Bytes 64.4.32.251 14201 20940508 207.68.171.254 11862 17764328 64.4.32.1 12142 18184104 207.46.197.102 59698 89401960 These clients are on very different CIDR blocks (from the first octet). We don't have any further information at this time, other than one client saturated their T1 and the other saturated a 10Mb/s connection. I haven't observed any noticeable impacts to the microsoft sites being attacked. We have been able to track back the activity on MRTG graphs to last Thurs for both clients. We investigated the traffic volume the first day it appeared and at that time saw what appeared to be an attack against two hosts in .fr and one in .de. The client assured us at this time it was legitimate traffic. A port scan of one of the infected hosts shows: 7 Echo 9 Discard 13 Daytime 17 Quote of the Day 19 Character Generator 21 File Transfer Protocol [Control] 25 Simple Mail Transfer 80 World Wide Web HTTP 135 DCE endpoint resolution 139 NETBIOS Session Service 443 https MCom 445 Microsoft-DS 548 AFP over TCP 1025 network blackjack 1026 1027 ICQ? 1433 Microsoft-SQL-Server 5631 pcANYWHEREdata The client claims that they are not running Appletalk (548) but I'm not sure whether to believe. We haven't been able to get console access to that machine to do any further investigation (but have blocked it upstream). Of the above services, most look legit from what I can tell with the exception of 548 and 1025-1027 Mike ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 09:32:32 PST