Re: DDoS to microsoft sites

From: Hugo van der Kooij (hvdkooijat_private)
Date: Wed Jan 30 2002 - 00:19:59 PST

  • Next message: Mike Lewinski: "Re: DDoS to microsoft sites"

    On Tue, 29 Jan 2002, Mike Lewinski wrote:
    
    > A port scan of one of the infected hosts shows:
    > 
    >      7  Echo
    >      9  Discard
    >     13  Daytime
    >     17  Quote of the Day
    >     19  Character Generator
    >     21  File Transfer Protocol [Control]
    >     25  Simple Mail Transfer
    >     80  World Wide Web HTTP
    >    135  DCE endpoint resolution
    >    139  NETBIOS Session Service
    >    443  https  MCom
    >    445  Microsoft-DS
    >    548  AFP over TCP
    >   1025  network blackjack
    >   1026
    >   1027  ICQ?
    >   1433  Microsoft-SQL-Server
    >   5631  pcANYWHEREdata
    
    I am curious what you used for portscanning as you have only half of the 
    pcanywhere ports.
    
    The amount of traffic may be normal if one is to download loads of data 
    (like CD ISO images) with an accellerator. Getting a full load of IE6 is a 
    substantial download.
    
    > The client claims that they are not running Appletalk (548) but I'm not sure
    > whether to believe. We haven't been able to get console access to that
    > machine to do any further investigation (but have blocked it upstream). Of
    > the above services, most look legit from what I can tell with the exception
    > of 548 and 1025-1027
    
    The high ports are common on windows machines. It's no proof that they are 
    harmless but don't make too much of it.
    
    I can't escape the feeling that you are chasing ghosts here. If it is a 
    genuine DoS attempt you would be able to tell from observing the 
    datastream. (getting at least the headers.)
    
    Hugo.
    
    -- 
    All email send to me is bound to the rules described on my homepage.
        hvdkooijat_private		http://hvdkooij.xs4all.nl/
    	    Don't meddle in the affairs of sysadmins,
    	    for they are subtle and quick to anger.
    
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 09:39:32 PST