HC, Actually, the endpoint map is on tcp 135 on MS Windows boxes. But I have never tried it through a firewall before, so I don't know. It might use tcp 139/145 SMB traffic. Tcp port 1025 is being hosted by the task scheduler on this w2k box. Running "rpcdump.exe -v -i" I get the following endpoint information: ProtSeq:ncacn_ip_tcp Endpoint:1025 NetOpt: Annotation: IsListening:YES StringBinding:ncacn_ip_tcp:192.168.217.200[1025] UUID:378e52b0-c0a9-11cf-822d-00aa0051e40f ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor 0 ProtSeq:ncacn_ip_tcp Endpoint:1025 NetOpt: Annotation: IsListening:YES StringBinding:ncacn_ip_tcp:66.44.7.46[1025] UUID:378e52b0-c0a9-11cf-822d-00aa0051e40f ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor 0 ProtSeq:ncacn_ip_tcp Endpoint:1025 NetOpt: Annotation: IsListening:YES StringBinding:ncacn_ip_tcp:192.168.217.200[1025] UUID:1ff70682-0a51-30e8-076d-740be8cee98b ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor 0 ProtSeq:ncacn_ip_tcp Endpoint:1025 NetOpt: Annotation: IsListening:YES StringBinding:ncacn_ip_tcp:66.44.7.46[1025] UUID:1ff70682-0a51-30e8-076d-740be8cee98b ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor 0 Perhaps someone is looking for a poorly configured Windows box on which to schedule a task. :-) Regards, George. -----Original Message----- From: H C [mailto:keydet89at_private] Sent: Thursday, July 18, 2002 10:34 PM To: George M. Garner Jr. Subject: Re: TCP 1025 scanning worm? George, Will that work in all cases, or only if port 111 is open? HC --- "George M. Garner Jr." <gmgarnerat_private> wrote: > HC, > > Running rpcdump.exe from the resource kit also might > clear things up. It > will show what interface is being advertized over > that port. > > Regards, > > George. > > ----- Original Message ----- > From: "H C" <keydet89at_private> > To: <incidentsat_private> > Cc: <rdumpat_private> > Sent: Thursday, July 18, 2002 2:36 PM > Subject: re: TCP 1025 scanning worm? > > > > > The sources are all Windows boxes listening on > TCP > > port 1025. > > > > Not surprising at all. MS has documentation that > > states that the ports from 1025-1030 are used by > RPC. > > > > > > Have you checked your own machine w/ fport? I've > got > > ports open in that range on my system right now, > but > > they're all used by MS processes. > > > > > The ramp up in volume from widely separated > source > > IPs looks wormy. > > > > How so? The log extract you provided doesn't show > any > > data...it looks as if the initial SYN packet was > > denied. This could easily be a port scanner. > > > > > > __________________________________________________ > > Do You Yahoo!? > > Yahoo! Autos - Get free new car price quotes > > http://autos.yahoo.com > > > > > ------------------------------------------------------------------------ -- > -- > > This list is provided by the SecurityFocus ARIS > analyzer service. > > For more information on this free incident > handling, management > > and tracking system please see: > http://aris.securityfocus.com > > > __________________________________________________ Do You Yahoo!? Yahoo! Autos - Get free new car price quotes http://autos.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jul 19 2002 - 08:23:16 PDT