Probes to previously accessed FTPs and UNCs in XP

From: Eric Weaver (eric.weaverat_private)
Date: Tue Apr 09 2002 - 01:55:29 PDT

  • Next message: KoRe MeLtDoWn: "RE: I think I've been hacked...please help!"

    Re: POSSIBLE WORM / DDOS
    
    Sorry for the delayed response.
    
    I have concluded that this activity is caused by another Microsoft
    misfeature.  (Weather it is a virus or not, XP is caching previously
    accessed url/unc somewhere, leaving these hosts/shares potential victims for
    a virus/worm)
    
    Findings:
    
    Upon access to certain local directories of the "hot" machine (E:\,
    E:\download\ ). Windows (XP Pro), causes orderly probing to previously
    accessed ftp url & unc's. (This explains the many samba queries after the
    FTP attempts)
    
    The following caused the network activity:
    
    Start/ Run / E:\ <cr>
    Start/ Run / E:\download <cr>
    
    
    I searched through the local registry for the targeted IP's & sharenames
    (also search for possible aliases)  but was unable to find anything.  I
    deleted the temporary internet cache, history, etc. Rebooted.  Machine still
    caused same network activity.
    
    Reapplying generic-folder-options to the directories that were "triggering"
    this activity seemed to fix the problem.
    
    I wonder where Microsoft is storing this information?  Those directories did
    not have any abnormal/hidden files.  Odd.
    
    Someone mentioned this may be ACEBot or GTBot.  I found no traces of these
    Trojans.
    
    I have not ruled out a virus.
    
    The fact that this happens in regular windows explorer (not shortcut/link
    inside a browser) worries me.
    
    
    Thanks for everyone's $0.02.
    
    _______________________________
    Eric Weaver
    
    
    
    
    
    > tcpdump:
    >
    > 06:29:17.078874 10.2.2.241.1890 > 204.152.189.113.21: S
    > 3272713560:3272713560(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:29:20.081771 10.2.2.241.1891 > 204.152.189.113.21: S
    > 3273527112:3273527112(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:29:23.087434 10.2.2.241.1892 > 209.250.0.132.21: S
    > 3274340020:3274340020(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:29:26.089861 10.2.2.241.1893 > 209.250.0.132.21: S
    > 3275149251:3275149251(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:29:29.301291 10.2.2.241.1028 > 10.2.2.14.53:  161+ A?
    > hawking.res.cmu.edu. (37)
    > 06:29:29.302121 10.2.2.14.53 > 10.2.2.241.1028:  161 NXDomain 0/1/0 (118)
    > (DF)
    > 06:30:29.836128 10.2.2.241.1938 > 198.133.219.27.21: S
    > 3293275935:3293275935(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:30:32.782191 10.2.2.241.1939 > 62.243.72.50.21: S
    > 3294076486:3294076486(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:30:35.786356 10.2.2.241.1940 > 129.128.5.191.21: S
    > 3294859714:3294859714(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:30:38.690326 10.2.2.241.1941 > 66.26.238.15.21: S
    > 3295637385:3295637385(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:30:51.775416 10.2.2.241.1956 > 204.152.189.113.21: S
    > 3299451469:3299451469(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:30:54.804154 10.2.2.241.1957 > 216.10.106.189.21: S
    > 3300252651:3300252651(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:30:57.712465 10.2.2.241.1958 > 204.152.189.113.21: S
    > 3301052975:3301052975(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:31:00.716285 10.2.2.241.1959 > 204.152.189.113.21: S
    > 3301854583:3301854583(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:31:03.721980 10.2.2.241.1960 > 209.250.0.132.21: S
    > 3302638469:3302638469(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:31:06.725382 10.2.2.241.1961 > 209.250.0.132.21: S
    > 3303448449:3303448449(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:31:13.857898 10.2.2.241.1984 > 206.100.24.34.21: S
    > 3306270291:3306270291(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:31:16.836273 10.2.2.241.1985 > 206.100.24.34.21: S
    > 3307075111:3307075111(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:32:02.060208 10.2.2.241.2004 > 198.133.219.27.21: S
    > 3319333584:3319333584(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:32:05.056510 10.2.2.241.2005 > 62.243.72.50.21: S
    > 3320119259:3320119259(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:32:08.009097 10.2.2.241.2006 > 129.128.5.191.21: S
    > 3320930893:3320930893(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:32:11.013294 10.2.2.241.2007 > 66.26.238.15.21: S
    > 3321738567:3321738567(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:32:23.459155 10.2.2.241.2024 > 204.152.189.113.21: S
    > 3325545579:3325545579(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:32:26.462660 10.2.2.241.2025 > 216.10.106.189.21: S
    > 3326338384:3326338384(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:32:29.433905 10.2.2.241.2026 > 204.152.189.113.21: S
    > 3327134151:3327134151(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:32:32.436725 10.2.2.241.2027 > 204.152.189.113.21: S
    > 3327941671:3327941671(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:32:35.443518 10.2.2.241.2028 > 209.250.0.132.21: S
    > 3328724549:3328724549(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:32:38.444911 10.2.2.241.2029 > 209.250.0.132.21: S
    > 3329535547:3329535547(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    > 06:32:45.491534 10.2.2.241.2052 > 206.100.24.34.21: S
    > 3332310269:3332310269(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
    >
    
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Apr 09 2002 - 08:37:29 PDT