-----Original Message----- From: H C [mailto:keydet89at_private] Sent: Tuesday, August 13, 2002 1:47 PM To: Robert Buckley; 'Baribault, Gary'; grdnwsl; Rob Keown Cc: incidentsat_private Subject: RE: Subseven Scans > A recon probe against the attacking hosts that were > up, indicated that they > are all windows hosts, all with port 139 open to the > public. Some hosts did > show signs of being compromised and had virus' > present. Interesting. How was this determined? "it was determined by examining the contents of the drive in question, and seeing a directory structure that appeared to be one that had been infected. You wont find normal people creating directories with control codes in them, and since more than 1 out of the 20 + hosts had that type of sign, its assumed they are in fact infected with something. It also showed sings that these were not business systems, and of a home type of system, which can lead to a conclusion that they were less secure than business systems, and more prone to have stuff uploaded on them. Most the hosts had MS file sharing enabled, with write access from the root of the drive. Just another sign to lead to a formidable conclusion" > It was determined > that all attacking hosts are unknowingly being used > to attack other systems. Really? How so? Were you able to conduct a virus scan of the attacking hosts and determine that the Trojan or controlling software was actually being used? After all, one cannot conclusively determine, even on an infected system, that the user of the attacking host was unaware that it was infected, and had conducted a port scan. After all, nmap 3.0 was recently released...and yes, it does run on Win32 (precompiled binary available). "see above. Nmap has nothing to do with the equation. It makes no difference wether it was nmap, or a perl port scanner or even if the hosts were worming. The fact that the scan took place sequentially and not at the same time, leads one to believe that this is the work of one person hopping from system to system, quite possibly to try to break ACL's on the borders. Otherwise, a distributed scan of this type is more likely to happen all at once, in order to smoke screen the victim, believing that some of the hosts could be spoofed, or confusing analyses. Instead, the scans were at 1 or so minute intervals and that has "Im one person" written all over it in the signature world. There was no effort on my part to determine if an infection on an attacking host was causing the scan or not. The application source of the scan made no difference in my analyses" The above statement is simply too emphatic for me, without more information. At best, one can say that it was determined with a relative degree of certainty that the attacking host was unknowingly used to attack other systems. "see above: a normal distributed scan happens simultaneously. Scanning from one host to the next at one minute wait time intervals between the scan is not normal, and indicates, in most cases, that a person is hopping from host to host" This goes back to what I mentioned earlier to Rob...until someone posts some speculation (including non-reproducable verification steps...or not) and in the end, the community really hasn't benefited overall. "The community can benefit from whatever they can. I had no intentions of providing speculation, it just happened as part of the proccess if thats how one sees it. What I wanted to send to the original writer, is what I concluded. Not that it is set in stone or otherwise, its up to the analyst to interpret the data I have given them, false or otherwise." I'm glad to see that someone took a look at the hosts...Rob sent me some info about the majority being from Korea...but I think that it would benefit the community as a whole to know how those steps were conducted...how was it determined that the systems were infected, and how was it determined that the infection, the malware installed, was actually what was doing the scanning, and not a port scanner? "It was not my intention to provide how or what tools were used for the attack, only to provide insight on the hosts invloved, and their status, and OS type. That was my intention, and that was what I provided. Any other queries about what tools were invloved, and what infections were present, is not my concern. My only concern was to provide factual data that I had gathered. 1: Windows hosts, all of them - fact. 2: MS Shares at the root level, some of them. - fact. 3: Sequentially scanned, not simutaneous - fact. 4: Hosts were not spoofed. - fact. 5: Some hosts showed signs of virus via the CTRL chars that were used to create directories on their shares. - fact. 6: How long the attack lasted. - fact. 7: Was the attack successful. - fact. Thats all I wanted to get to the original poster. All other concerns, moral values and comments are not warrented. Do with it what you will. Sincerely, RB. __________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 14 2002 - 11:10:53 PDT