Probes to previously accessed FTPs and UNCs in XP

From: Eric Weaver (eric.weaverat_private)
Date: Tue Apr 09 2002 - 01:55:29 PDT

  • Next message: KoRe MeLtDoWn: "RE: I think I've been hacked...please help!" 

    Re: POSSIBLE WORM / DDOS

Sorry for the delayed response.

I have concluded that this activity is caused by another Microsoft
misfeature.  (Weather it is a virus or not, XP is caching previously
accessed url/unc somewhere, leaving these hosts/shares potential victims for
a virus/worm)

Findings:

Upon access to certain local directories of the "hot" machine (E:\,
E:\download\ ). Windows (XP Pro), causes orderly probing to previously
accessed ftp url & unc's. (This explains the many samba queries after the
FTP attempts)

The following caused the network activity:

Start/ Run / E:\ <cr>
Start/ Run / E:\download <cr>


I searched through the local registry for the targeted IP's & sharenames
(also search for possible aliases)  but was unable to find anything.  I
deleted the temporary internet cache, history, etc. Rebooted.  Machine still
caused same network activity.

Reapplying generic-folder-options to the directories that were "triggering"
this activity seemed to fix the problem.

I wonder where Microsoft is storing this information?  Those directories did
not have any abnormal/hidden files.  Odd.

Someone mentioned this may be ACEBot or GTBot.  I found no traces of these
Trojans.

I have not ruled out a virus.

The fact that this happens in regular windows explorer (not shortcut/link
inside a browser) worries me.


Thanks for everyone's $0.02.

_______________________________
Eric Weaver





> tcpdump:
>
> 06:29:17.078874 10.2.2.241.1890 > 204.152.189.113.21: S
> 3272713560:3272713560(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:29:20.081771 10.2.2.241.1891 > 204.152.189.113.21: S
> 3273527112:3273527112(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:29:23.087434 10.2.2.241.1892 > 209.250.0.132.21: S
> 3274340020:3274340020(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:29:26.089861 10.2.2.241.1893 > 209.250.0.132.21: S
> 3275149251:3275149251(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:29:29.301291 10.2.2.241.1028 > 10.2.2.14.53:  161+ A?
> hawking.res.cmu.edu. (37)
> 06:29:29.302121 10.2.2.14.53 > 10.2.2.241.1028:  161 NXDomain 0/1/0 (118)
> (DF)
> 06:30:29.836128 10.2.2.241.1938 > 198.133.219.27.21: S
> 3293275935:3293275935(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:30:32.782191 10.2.2.241.1939 > 62.243.72.50.21: S
> 3294076486:3294076486(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:30:35.786356 10.2.2.241.1940 > 129.128.5.191.21: S
> 3294859714:3294859714(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:30:38.690326 10.2.2.241.1941 > 66.26.238.15.21: S
> 3295637385:3295637385(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:30:51.775416 10.2.2.241.1956 > 204.152.189.113.21: S
> 3299451469:3299451469(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:30:54.804154 10.2.2.241.1957 > 216.10.106.189.21: S
> 3300252651:3300252651(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:30:57.712465 10.2.2.241.1958 > 204.152.189.113.21: S
> 3301052975:3301052975(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:31:00.716285 10.2.2.241.1959 > 204.152.189.113.21: S
> 3301854583:3301854583(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:31:03.721980 10.2.2.241.1960 > 209.250.0.132.21: S
> 3302638469:3302638469(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:31:06.725382 10.2.2.241.1961 > 209.250.0.132.21: S
> 3303448449:3303448449(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:31:13.857898 10.2.2.241.1984 > 206.100.24.34.21: S
> 3306270291:3306270291(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:31:16.836273 10.2.2.241.1985 > 206.100.24.34.21: S
> 3307075111:3307075111(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:32:02.060208 10.2.2.241.2004 > 198.133.219.27.21: S
> 3319333584:3319333584(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:32:05.056510 10.2.2.241.2005 > 62.243.72.50.21: S
> 3320119259:3320119259(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:32:08.009097 10.2.2.241.2006 > 129.128.5.191.21: S
> 3320930893:3320930893(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:32:11.013294 10.2.2.241.2007 > 66.26.238.15.21: S
> 3321738567:3321738567(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:32:23.459155 10.2.2.241.2024 > 204.152.189.113.21: S
> 3325545579:3325545579(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:32:26.462660 10.2.2.241.2025 > 216.10.106.189.21: S
> 3326338384:3326338384(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:32:29.433905 10.2.2.241.2026 > 204.152.189.113.21: S
> 3327134151:3327134151(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:32:32.436725 10.2.2.241.2027 > 204.152.189.113.21: S
> 3327941671:3327941671(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:32:35.443518 10.2.2.241.2028 > 209.250.0.132.21: S
> 3328724549:3328724549(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:32:38.444911 10.2.2.241.2029 > 209.250.0.132.21: S
> 3329535547:3329535547(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:32:45.491534 10.2.2.241.2052 > 206.100.24.34.21: S
> 3332310269:3332310269(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
>




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Tue Apr 09 2002 - 08:37:29 PDT