RE: Security problem in installation IE sp1 ?

From: Wolf, Glenn (glenn.wolf@we-inc.com)
Date: Fri Oct 18 2002 - 09:38:31 PDT

  • Next message: Benjamin Krueger: "Re: Linux Kernel Exploits / ABFrag" 

    That host is in Korea (note the port 25 banner time is also in KST).

APNIC only shows it as being owned by "Korea Network Information Center."

Use fport to verify this is really being initiated by ie6setup.exe.

Strange... but remember, anything is possible.....

-----Original Message-----
From: Honza.K [mailto:honza.dforumat_private]
Sent: Thursday, October 17, 2002 1:11 AM
To: bugtraqat_private
Cc: incidentsat_private
Subject: Security problem in installation IE sp1 ?


Hello all


i found very strange thing when i install Internet Explorer SP1.

I'm download from www.microsoft.com/downloads/
ie6setup.exe install program. After download and start this program,
 install wizard start automatic download. I'm looking on the Firewall
 and ie6wzd.exe have open connection to any 62.54.250.120 server.
 Downloading was slowly and i haven't time. So i stop automatic
 installation. That is ok. But install program show message about
 canceling with messege (you must wait several minute .. bla bla.)
 I'm looking on my firewall again and i found very strange thing:

 program ie6setup.exe have open connection to IP 210.117.67.218 and
 port 8080 (probably any proxy).

 what is it ?

 i open scan to this machine :

* + 210.117.67.218   [Unknown]
        |___    23  Telnet
                |___ ........#..'..$
        |___    25  Simple Mail Transfer
                |___ 220 icache8 ESMTP Sendmail 8.11.6+Sun/8.11.6; Thu, 17
Oct 2002 17:11:14 +0900 (KST)..
        |___    80  World Wide Web HTTP
        |___   111  SUN Remote Procedure Call
        |___  1720  h323hostcall
        |___  8080  Standard HTTP Proxy

This is computer/server with os Sun 5.7 ?. Microsoft and SUN ?
This isn't posible
        
Program no.     Name            Version Protocol        Port

(100000)        portmapper      4       TCP             111
(100000)        portmapper      3       TCP             222
(100000)        portmapper      2       TCP             333
(100000)        portmapper      4       UDP             444
(100000)        portmapper      3       UDP             555
(100000)        portmapper      2       UDP             666
(100021)        nlockmgr        1       UDP             4045
(100021)        nlockmgr        2       UDP             4045
(100021)        nlockmgr        3       UDP             4045
(100021)        nlockmgr        4       UDP             4045
(100024)        status          1       UDP             32773
(100024)        status          1       TCP             32771
(100389)        1       UDP             32773
(100389)        1       TCP             32771
(100021)        nlockmgr        1       TCP             4045
(100021)        nlockmgr        2       TCP             4045
(100021)        nlockmgr        3       TCP             4045
(100021)        nlockmgr        4       TCP             4045


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Fri Oct 18 2002 - 17:21:03 PDT