You may want to try the recently released PortExplorer from http://www.diamondcs.com.au/portexplorer/ You will likely need to get the registered version to be of any help in your predicament but you can get an idea of what it can do from the demo version. An alternative would be the SysInternals utilities of TCPmon, Filemon, and Regmon but with PortExplorer you can set it to "spy" on any socket and data being sent and received. It separates the header info from the payload, however, so if you need more Header info than the parsed details it provides you would need to resort to winpcap and windump or snort. Regards, Dan Perez -----Original Message----- From: Moshe Aelion [mailto:ma0934at_private] Sent: Friday, November 15, 2002 12:11 PM To: incidents @ security focus Subject: Help - a possible bot Hi everybody Two weeks ago, the NAT/ICMP computer on our LAN got compromised; the hacked installed DameWare and was trying to work on the computer. It was discovered within about 10 minutes. I then installed ZoneAlarm Pro. The problem is, I am detecting a suspicious hit/respond activity, which, in my opinion, points to an active bot. Here's the evidence: when inspecting ZA logs, you can see a blocked scan (coming every couple of minutes, from arbitrary addresses - I bet they're spoofed - and soon after, the computer responds with a (blocked) attempt to communicated with that address. This points to an active bot (in my opinion), since, although ZA claims it blocked the incoming attempt, the computer immediately tries to respond - therefore SOMETHING inside did get a message. I did a lot of port blocking, foundation fport tracking, netstat -an, and couldn't find anything extraordinary. I installed PestPatrol and Trojan Remover, they discovered nothing. (Except fport which I used). The "HKEY_localmachine_software...Microsoft\...currentversion\run" registry key doesn't show anything suspicious. I do notice, though, that svchost is unusually active - doing about 25k read/write I/O per second, with nothing running. I did a lot of port blocking and couldn't stop the hit/response phenomenon. I also stopped several processes and services and the phenomenon didn't stop. I'm attaching here the ZA log. The incoming attempt and the response are denoted with "<--". I'm also attaching the netstat -an and fport scan outputs. Thanking any assistance in advance Moshe ========================== ZA log ======================= 1 FWIN, 21:55:54, 66.139.182.144:1065, my.net.237.99:137,UDP <-- 2 FWOUT, 21:55:56, my.net.237.99:1025, 66.139.182.144:137,UDP <-- 3 FWIN, 21:58:18, 213.9.242.122:1029, my.net.237.99:137,UDP <-- 4 FWOUT, 21:58:18, my.net.237.99:1025, 213.9.242.122:137,UDP <-- 5 FWIN, 21:59:54, 192.168.0.5: 138, 192.168.0.255:138,UDP 6 FWIN, 22:00:38, 212.179.237.86:1026, my.net.237.99:137,UDP 7 FWIN, 22:00:38, 212.179.209.67: 0, my.net.237.99:0,ICMP (type:8/subtype:0) 8 ACCESS,22:01:52,RuLaunch blocked from connecting to Internet (216.49.88.100:HTTP) 9 FWIN, 22:02:04, 64.231.129.73:1030, my.net.237.99:137,UDP 10 FWIN, 22:02:44, 61.228.26.161:1027, my.net.237.99:137,UDP 11 FWIN, 22:02:56, 62.94.131.238:3375, my.net.237.99:6588,TCP (flags:S) 12 FWIN, 22:07:34, 200.76.64.2:62695, my.net.237.99:137,UDP <-- 13 FWOUT, 22:07:40, my.net.237.99:1025, 200.76.64.2:137,UDP <-- 14 ACCESS,22:07:52,RuLaunch blocked from connecting to Internet (216.49.88.100:HTTP) 15 FWIN, 22:09:02, 200.67.76.211:1026, my.net.237.99:137,UDP 16 FWIN, 22:10:40,140.186.157.226:6522, my.net.237.99:137,UDP <-- 17 FWOUT, 22:10:40, my.net.237.99:1025, 140.186.157.226:137,UDP <-- 18 FWIN, 22:10:58, 12.22.205.3:10647, my.net.237.99:137,UDP <-- 19 FWOUT, 22:10:58, my.net.237.99:1025, 12.22.205.3:137,UDP <-- 20 FWIN, 22:11:46, 68.67.228.47:1132, my.net.237.99:137,UDP 21 ACCESS,22:11:54,RuLaunch blocked from connecting to Internet (216.49.88.100:HTTP) 22 FWIN, 22:12:14, 200.75.14.169:1025, my.net.237.99:137,UDP <-- 23 FWOUT, 22:12:16, my.net.237.99:1025, 200.75.14.169:137,UDP <-- 24 FWIN, 22:12:20, 80.235.53.242:30150, my.net.237.99:137,UDP 25 FWIN, 22:13:44, 200.56.237.243:1026, my.net.237.99:137,UDP 26 FWIN, 22:13:52, 64.110.231.28:1025, my.net.237.99:137,UDP 27 ACCESS,22:13:54,RuLaunch blocked from connecting to Internet (216.49.88.100:HTTP) 28 FWIN, 22:15:40, 200.63.158.210:1025, my.net.237.99:137,UDP 29 FWIN, 22:17:10, 203.99.155.122:1027, my.net.237.99:137,UDP 30 FWIN, 22:19:16, 166.114.241.42:1037, my.net.237.99:137,UDP <-- 31 FWOUT, 22:19:16, my.net.237.99:1025, 166.114.241.42:137,UDP <-- 32 FWIN, 22:21:28, 161.132.196.30:1027, my.net.237.99:137,UDP 33 ACCESS,22:21:54,RuLaunch blocked from connecting to Internet (216.49.88.100:HTTP) 34 FWIN, 22:22:04, 209.86.1.157:1029, my.net.237.99:137,UDP ========================= end of ZA log ================================== Note: the 10.0.0.1:3028 to 10.0.0.138:1723 link is the ADSL pptp. ========================= "netstat -an" output============================== Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING TCP 0.0.0.0:1723 0.0.0.0:0 LISTENING TCP 0.0.0.0:3006 0.0.0.0:0 LISTENING TCP 0.0.0.0:3028 0.0.0.0:0 LISTENING TCP 10.0.0.1:3028 10.0.0.138:1723 ESTABLISHED TCP 10.0.0.1:7732 0.0.0.0:0 LISTENING TCP 192.168.0.1:139 0.0.0.0:0 LISTENING TCP 192.168.0.1:3002 0.0.0.0:0 LISTENING TCP 192.168.0.1:3003 0.0.0.0:0 LISTENING TCP 192.168.0.1:3004 0.0.0.0:0 LISTENING TCP 192.168.0.1:14810 0.0.0.0:0 LISTENING TCP my.net.217.125:13145 0.0.0.0:0 LISTENING UDP 0.0.0.0:135 *:* UDP 0.0.0.0:445 *:* UDP 0.0.0.0:1027 *:* UDP 0.0.0.0:3001 *:* UDP 0.0.0.0:3239 *:* UDP 0.0.0.0:3240 *:* UDP 10.0.0.1:500 *:* UDP 10.0.0.1:6979 *:* UDP 192.168.0.1:53 *:* UDP 192.168.0.1:67 *:* UDP 192.168.0.1:68 *:* UDP 192.168.0.1:137 *:* UDP 192.168.0.1:138 *:* UDP 192.168.0.1:500 *:* UDP 192.168.0.1:10900 *:* UDP 192.168.0.1:17985 *:* UDP 192.168.0.1:17987 *:* UDP my.net.217.125:500 *:* UDP my.net.217.125:9504 *:* ========================= end of "netstat -an" output ========================= ========================= "fport /p" output ========================== FPort v1.33 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. Pid Process Port Proto Path 400 svchost -> 135 TCP C:\WINNT\system32\svchost.exe 8 System -> 139 TCP 8 System -> 445 TCP 516 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe 8 System -> 1026 TCP 8 System -> 1723 TCP 612 vsmon -> 3002 TCP C:\WINNT\system32\ZoneLabs\vsmon.exe 472 svchost -> 3006 TCP C:\WINNT\System32\svchost.exe 8 System -> 3657 TCP 8 System -> 4629 TCP 8 System -> 4775 TCP 400 svchost -> 135 UDP C:\WINNT\system32\svchost.exe 8 System -> 137 UDP 8 System -> 138 UDP 8 System -> 445 UDP 228 lsass -> 500 UDP C:\WINNT\system32\lsass.exe 216 services -> 1027 UDP C:\WINNT\system32\services.exe 472 svchost -> 3001 UDP C:\WINNT\System32\svchost.exe 1276 RuLaunch -> 3167 UDP C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe 612 vsmon -> 17985 UDP C:\WINNT\system32\ZoneLabs\vsmon.exe 612 vsmon -> 17987 UDP C:\WINNT\system32\ZoneLabs\vsmon.exe ========================= end of "fport /p" output ========================== ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Nov 17 2002 - 23:14:03 PST