Re: Unusual volume: UDP:137 probes

From: Alain Fauconnet (alainat_private)
Date: Fri Oct 04 2002 - 00:13:55 PDT

Next message: george.wasgattat_private: "RE: maybe a simple problem"

Previous message: Robinson, Sonja: "RE: maybe a simple problem"
In reply to: Nick FitzGerald: "RE: Unusual volume: UDP:137 probes"
Next in thread: Matt Power: "Re: Unusual volume: UDP:137 probes"
Next in thread: Scott, Michael R.: "RE: Unusual volume: UDP:137 probes"
Reply: Matt Power: "Re: Unusual volume: UDP:137 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Oct 04, 2002 at 07:58:18AM +1200, Nick FitzGerald wrote:
> Richard.Grantat_private wrote:
> Two...
> 
> You are right that Bugbear does not produce the flood of port 137 
> traffic currently being reported.  Bugbear does some spreading via 
> open or otherwise accessible shares (those writable with the 
> permissions of the user that ran the EXE) but it uses standard 
> known network resource enumeration APIs to do its work.  Opaserv (aka 
> Scrup, Scrsvr, Opasoft) aggressively scans for machines listening on
> port 137 and is the likely source of most of the increased port 137 
> activity.
> 
> > ScrSvr31415.KERNEL32.dll.RegisterServiceProcess.SOFTWARE\Microsoft\Wind
> > ows\CurrentVersion\Run.Software\Microsoft\Windows\CurrentVersion\Interne
> > t
> > Settings.ScrSvr.ScrSvrOld.ProxyEnable.ProxyServer.\ScrSvr.exe.ScrSin.dat
> > .ScrSout.dat.scrupd.exe.www.opasoft.com.GET
> > http://www.opasoft.com/work/scheduler.php?ver=01&task=newzad&first=0
> > HTTP/1.1..Host: www.opasoft.com.....GET
> > http://www.opasoft.com/work/lastver HTTP/1.1..Host:
> <<snip>>
> 

Talking of Opaserv, I have an example of a Win95 OSR2.1  box  (yes,  I
know)  which saw SCRSVR.EXE appear in its Windows folder while online.
McAfee caught it immediately so  it  didn't  have  a  chance  to  run.
However  this  box *did* have passwords set on the shares (yes, all of
them, I have checked).

These passwords were quite non-obvious so I doubt that they  could  be
found as a result of brute-force attack.

I  know that Win95 had its share of bugs regarding SMB passwords. This
one looks like a good candidate:

http://security-archive.merton.ox.ac.uk/bugtraq-200010/0228.html
NSFOCUS Security Advisory(SA2000-05)

But  then  it means that Opaserv goes beyond checking for passwordless
shares (that's all I have seen written so far). It also exploits known
vulnerabilities.

Greets,
_Alain_

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: george.wasgattat_private: "RE: maybe a simple problem"
Previous message: Robinson, Sonja: "RE: maybe a simple problem"
In reply to: Nick FitzGerald: "RE: Unusual volume: UDP:137 probes"
Next in thread: Matt Power: "Re: Unusual volume: UDP:137 probes"
Next in thread: Scott, Michael R.: "RE: Unusual volume: UDP:137 probes"
Reply: Matt Power: "Re: Unusual volume: UDP:137 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Oct 04 2002 - 22:58:14 PDT