I've noticed somewhat similar behavior in WinNT and Win2k. In Win2k, the triggering event can cause a dvd or zip drive to spin up. In NT, the event has caused a disconnected drive mapping to be reconnected--at one point it chose a drive letter of its own choice until it used up all the available drive letters (I think we applied a patch for that), but still if I leave Windows Explorer in the background, I occasionally see it list 3 or more drive mappings to the same drive letter and same share. We ran the problem down, and determined it was related to shortcuts, especially those for "Recent" files. Shortcuts typically include both a drive-relative path and a fully qualified UNC path to the target. So common dialogs like the new-style OpenFile dialog have access to the shortcuts and periodically re-query them (maybe to get icons?). Our solution was to occasionally purge recent files, but with Win2k & XP, internet shortcuts are showing up all over the place. -----Original Message----- From: Eric Weaver [mailto:eric.weaverat_private] Sent: Tuesday, April 09, 2002 4:55 AM To: Incidentsat_private; BugTraqat_private Subject: Probes to previously accessed FTPs and UNCs in XP Re: POSSIBLE WORM / DDOS Sorry for the delayed response. I have concluded that this activity is caused by another Microsoft misfeature. (Weather it is a virus or not, XP is caching previously accessed url/unc somewhere, leaving these hosts/shares potential victims for a virus/worm) Findings: Upon access to certain local directories of the "hot" machine (E:\, E:\download\ ). Windows (XP Pro), causes orderly probing to previously accessed ftp url & unc's. (This explains the many samba queries after the FTP attempts) The following caused the network activity: Start/ Run / E:\ <cr> Start/ Run / E:\download <cr> I searched through the local registry for the targeted IP's & sharenames (also search for possible aliases) but was unable to find anything. I deleted the temporary internet cache, history, etc. Rebooted. Machine still caused same network activity. Reapplying generic-folder-options to the directories that were "triggering" this activity seemed to fix the problem. I wonder where Microsoft is storing this information? Those directories did not have any abnormal/hidden files. Odd. Someone mentioned this may be ACEBot or GTBot. I found no traces of these Trojans. I have not ruled out a virus. The fact that this happens in regular windows explorer (not shortcut/link inside a browser) worries me. Thanks for everyone's $0.02. _______________________________ Eric Weaver > tcpdump: > > 06:29:17.078874 10.2.2.241.1890 > 204.152.189.113.21: S > 3272713560:3272713560(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:29:20.081771 10.2.2.241.1891 > 204.152.189.113.21: S > 3273527112:3273527112(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:29:23.087434 10.2.2.241.1892 > 209.250.0.132.21: S > 3274340020:3274340020(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:29:26.089861 10.2.2.241.1893 > 209.250.0.132.21: S > 3275149251:3275149251(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:29:29.301291 10.2.2.241.1028 > 10.2.2.14.53: 161+ A? > hawking.res.cmu.edu. (37) > 06:29:29.302121 10.2.2.14.53 > 10.2.2.241.1028: 161 NXDomain 0/1/0 (118) > (DF) > 06:30:29.836128 10.2.2.241.1938 > 198.133.219.27.21: S > 3293275935:3293275935(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:30:32.782191 10.2.2.241.1939 > 62.243.72.50.21: S > 3294076486:3294076486(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:30:35.786356 10.2.2.241.1940 > 129.128.5.191.21: S > 3294859714:3294859714(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:30:38.690326 10.2.2.241.1941 > 66.26.238.15.21: S > 3295637385:3295637385(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:30:51.775416 10.2.2.241.1956 > 204.152.189.113.21: S > 3299451469:3299451469(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:30:54.804154 10.2.2.241.1957 > 216.10.106.189.21: S > 3300252651:3300252651(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:30:57.712465 10.2.2.241.1958 > 204.152.189.113.21: S > 3301052975:3301052975(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:31:00.716285 10.2.2.241.1959 > 204.152.189.113.21: S > 3301854583:3301854583(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:31:03.721980 10.2.2.241.1960 > 209.250.0.132.21: S > 3302638469:3302638469(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:31:06.725382 10.2.2.241.1961 > 209.250.0.132.21: S > 3303448449:3303448449(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:31:13.857898 10.2.2.241.1984 > 206.100.24.34.21: S > 3306270291:3306270291(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:31:16.836273 10.2.2.241.1985 > 206.100.24.34.21: S > 3307075111:3307075111(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:32:02.060208 10.2.2.241.2004 > 198.133.219.27.21: S > 3319333584:3319333584(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:32:05.056510 10.2.2.241.2005 > 62.243.72.50.21: S > 3320119259:3320119259(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:32:08.009097 10.2.2.241.2006 > 129.128.5.191.21: S > 3320930893:3320930893(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:32:11.013294 10.2.2.241.2007 > 66.26.238.15.21: S > 3321738567:3321738567(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:32:23.459155 10.2.2.241.2024 > 204.152.189.113.21: S > 3325545579:3325545579(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:32:26.462660 10.2.2.241.2025 > 216.10.106.189.21: S > 3326338384:3326338384(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:32:29.433905 10.2.2.241.2026 > 204.152.189.113.21: S > 3327134151:3327134151(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:32:32.436725 10.2.2.241.2027 > 204.152.189.113.21: S > 3327941671:3327941671(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:32:35.443518 10.2.2.241.2028 > 209.250.0.132.21: S > 3328724549:3328724549(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:32:38.444911 10.2.2.241.2029 > 209.250.0.132.21: S > 3329535547:3329535547(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:32:45.491534 10.2.2.241.2052 > 206.100.24.34.21: S > 3332310269:3332310269(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Apr 09 2002 - 13:41:24 PDT