Re: Help - a possible bot

From: Moshe Aelion (ma0934at_private)
Date: Fri Nov 22 2002 - 06:01:36 PST

  • Next message: Krueger Lawrence: "RE: Port 1080"

    Hi Emeric
    
    Analyzing the PC, it does not seem it's infected by Opaserv. There is no
    suspicious file with *scr* anywhere.
    
    Still, like you said, wht's worrying is that the PC is responding to the
    port probes. Apparently traffic to port 137 is blocked - so maybe it's
    penetrating from another port, of from an allowed program; but the PC is
    responding, which means SOMETHING inside is listening, then responding (very
    quickly). Also, when the Internet is on-line, the explorer and svchost
    processes are constantly active, with I/O of 25-30 kbps. This ceases when I
    go offf-line.
    
    Can anyone help? Thanks in advance
    
    Moshe
    
    
    --------------------- Original
    Message ----- --------------------------------
    From: Emeric Miszti
    To: Moshe Aelion
    Cc: incidents @ security focus
    Sent: Saturday, November 16, 2002 12:59 PM
    Subject: Re: Help - a possible bot
    
    
    Hi Moshe,
    
    What you are seeing with the incoming port 137 UDP requests is probably
    the Opeserv worm. Have a look at
    http://antivirus.about.com/library/weekly/aa100102a.htm.
    
    Everyone is seeing a lot of these at the moment and if you have a look
    at http://isc.incidents.org/ then you will see that port 137 is far and
    away the most attacked port at the moment.
    
    You can easily identify this kind of activity because the source port of
    normal UDP 137 traffic is 137 and the destination is port 137. With the
    worm activity the source port becomes something above 1024 with the
    destination as 137.
    
    Looking at your fport traces, etc it doesn't look like your PC is
    infected by Opaserv but what is worrying is that you may be responding
    to the port probes, thus making you a target for further attack and that
    may explain the high usage on svchost!
    
    Make sure that you are not infected by Opaserv by checking through the
    details provided by anti-virus companies such as
    http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.htm
    l
    
    Since the PC has been previously hacked I would be very suspicious
    anyway and wouldn't rely on the firewall doing its job properly.
    Dameware is a total remote control package so anything could have been
    installed. Personally I would rebuild the PC and then install a good
    firewall on a clean box. That is the only way you can ever be 100% sure
    you are clean.
    
    Regards
    --
    Emeric Miszti
    UK Security Online
    http://www.uksecurityonline.com
    
    Tel No: 0870 088 5689
    Fax No: 0870 706 2162
    
    PGP Public Key available at
    http://www.uksecurityonline.com/emeric.asc
    
    On Fri, 2002-11-15 at 20:11, Moshe Aelion wrote:
    > Hi everybody
    >
    > Two weeks ago, the NAT/ICMP computer on our LAN got compromised; the
    hacked
    > installed DameWare and was trying to work on the computer. It was
    discovered
    > within about 10 minutes. I then installed ZoneAlarm Pro.
    >
    > The problem is, I am detecting a suspicious hit/respond activity, which,
    in
    > my opinion, points to an active bot. Here's the evidence: when inspecting
    ZA
    > logs, you can see a blocked scan (coming every couple of minutes, from
    > arbitrary addresses - I bet they're spoofed - and soon after, the computer
    > responds with a (blocked) attempt to communicated with that address. This
    > points to an active bot (in my opinion), since, although ZA claims it
    > blocked the incoming attempt, the computer immediately tries to respond -
    > therefore SOMETHING inside did get a message.
    >
    > I did a lot of port blocking, foundation fport tracking, netstat -an, and
    > couldn't find anything extraordinary. I installed PestPatrol and Trojan
    > Remover, they discovered nothing. (Except fport which I used). The
    > "HKEY_localmachine_software...Microsoft\...currentversion\run" registry
    key
    > doesn't show anything suspicious.
    >
    > I do notice, though, that svchost is unusually active - doing about 25k
    > read/write I/O per second, with nothing running.
    > I did a lot of port blocking and couldn't stop the hit/response
    phenomenon.
    > I also stopped several processes and services and the phenomenon didn't
    > stop.
    >
    > I'm attaching here the ZA log. The incoming attempt and the response are
    > denoted with "<--".
    >
    > I'm also attaching the netstat -an and fport scan outputs.
    >
    > Thanking any assistance in advance
    >
    > Moshe
    >
    > ==========================      ZA log    =======================
    > 1  FWIN,  21:55:54, 66.139.182.144:1065,    my.net.237.99:137,UDP   <--
    > 2  FWOUT, 21:55:56,  my.net.237.99:1025,   66.139.182.144:137,UDP   <--
    > 3  FWIN,  21:58:18,  213.9.242.122:1029,    my.net.237.99:137,UDP   <--
    > 4  FWOUT, 21:58:18,  my.net.237.99:1025,    213.9.242.122:137,UDP   <--
    > 5  FWIN,  21:59:54,    192.168.0.5: 138,    192.168.0.255:138,UDP
    > 6  FWIN,  22:00:38, 212.179.237.86:1026,    my.net.237.99:137,UDP
    > 7  FWIN,  22:00:38, 212.179.209.67:   0,    my.net.237.99:0,ICMP
    > (type:8/subtype:0)
    > 8  ACCESS,22:01:52,RuLaunch blocked from connecting to Internet
    > (216.49.88.100:HTTP)
    > 9  FWIN,  22:02:04,  64.231.129.73:1030,    my.net.237.99:137,UDP
    > 10 FWIN,  22:02:44,  61.228.26.161:1027,    my.net.237.99:137,UDP
    > 11 FWIN,  22:02:56,  62.94.131.238:3375,   my.net.237.99:6588,TCP
    (flags:S)
    > 12 FWIN,  22:07:34,   200.76.64.2:62695,    my.net.237.99:137,UDP   <--
    > 13 FWOUT, 22:07:40,  my.net.237.99:1025,      200.76.64.2:137,UDP   <--
    > 14 ACCESS,22:07:52,RuLaunch blocked from connecting to Internet
    > (216.49.88.100:HTTP)
    > 15 FWIN,  22:09:02,  200.67.76.211:1026,    my.net.237.99:137,UDP
    > 16 FWIN,  22:10:40,140.186.157.226:6522,    my.net.237.99:137,UDP   <--
    > 17 FWOUT, 22:10:40,  my.net.237.99:1025,  140.186.157.226:137,UDP   <--
    > 18 FWIN,  22:10:58,   12.22.205.3:10647,    my.net.237.99:137,UDP   <--
    > 19 FWOUT, 22:10:58,  my.net.237.99:1025,      12.22.205.3:137,UDP   <--
    > 20 FWIN,  22:11:46,   68.67.228.47:1132,    my.net.237.99:137,UDP
    > 21 ACCESS,22:11:54,RuLaunch blocked from connecting to Internet
    > (216.49.88.100:HTTP)
    > 22 FWIN,  22:12:14,  200.75.14.169:1025,    my.net.237.99:137,UDP   <--
    > 23 FWOUT, 22:12:16,  my.net.237.99:1025,    200.75.14.169:137,UDP   <--
    > 24 FWIN,  22:12:20, 80.235.53.242:30150,    my.net.237.99:137,UDP
    > 25 FWIN,  22:13:44, 200.56.237.243:1026,    my.net.237.99:137,UDP
    > 26 FWIN,  22:13:52,  64.110.231.28:1025,    my.net.237.99:137,UDP
    > 27 ACCESS,22:13:54,RuLaunch blocked from connecting to Internet
    > (216.49.88.100:HTTP)
    > 28 FWIN,  22:15:40, 200.63.158.210:1025,    my.net.237.99:137,UDP
    > 29 FWIN,  22:17:10, 203.99.155.122:1027,    my.net.237.99:137,UDP
    > 30 FWIN,  22:19:16, 166.114.241.42:1037,    my.net.237.99:137,UDP   <--
    > 31 FWOUT, 22:19:16,  my.net.237.99:1025,   166.114.241.42:137,UDP   <--
    > 32 FWIN,  22:21:28, 161.132.196.30:1027,    my.net.237.99:137,UDP
    > 33 ACCESS,22:21:54,RuLaunch blocked from connecting to Internet
    > (216.49.88.100:HTTP)
    > 34 FWIN,  22:22:04,   209.86.1.157:1029,    my.net.237.99:137,UDP
    > =========================  end of ZA log
    ==================================
    >
    > Note: the 10.0.0.1:3028 to 10.0.0.138:1723 link is the ADSL pptp.
    >
    > =========================  "netstat -an"
    > output==============================
    >
    > Active Connections
    >
    >   Proto  Local Address          Foreign Address        State
    >   TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:1723           0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:3006           0.0.0.0:0              LISTENING
    >   TCP    0.0.0.0:3028           0.0.0.0:0              LISTENING
    >   TCP    10.0.0.1:3028          10.0.0.138:1723        ESTABLISHED
    >   TCP    10.0.0.1:7732          0.0.0.0:0              LISTENING
    >   TCP    192.168.0.1:139        0.0.0.0:0              LISTENING
    >   TCP    192.168.0.1:3002       0.0.0.0:0              LISTENING
    >   TCP    192.168.0.1:3003       0.0.0.0:0              LISTENING
    >   TCP    192.168.0.1:3004       0.0.0.0:0              LISTENING
    >   TCP    192.168.0.1:14810      0.0.0.0:0              LISTENING
    >   TCP    my.net.217.125:13145  0.0.0.0:0              LISTENING
    >   UDP    0.0.0.0:135            *:*
    >   UDP    0.0.0.0:445            *:*
    >   UDP    0.0.0.0:1027           *:*
    >   UDP    0.0.0.0:3001           *:*
    >   UDP    0.0.0.0:3239           *:*
    >   UDP    0.0.0.0:3240           *:*
    >   UDP    10.0.0.1:500           *:*
    >   UDP    10.0.0.1:6979          *:*
    >   UDP    192.168.0.1:53         *:*
    >   UDP    192.168.0.1:67         *:*
    >   UDP    192.168.0.1:68         *:*
    >   UDP    192.168.0.1:137        *:*
    >   UDP    192.168.0.1:138        *:*
    >   UDP    192.168.0.1:500        *:*
    >   UDP    192.168.0.1:10900      *:*
    >   UDP    192.168.0.1:17985      *:*
    >   UDP    192.168.0.1:17987      *:*
    >   UDP    my.net.217.125:500    *:*
    >   UDP    my.net.217.125:9504   *:*
    > =========================  end of "netstat -an" output
    > =========================
    >
    > =========================  "fport /p" output
    > ==========================
    > FPort v1.33 - TCP/IP Process to Port Mapper
    > Copyright 2000 by Foundstone, Inc.
    >
    > Pid   Process            Port  Proto Path
    > 400   svchost        ->  135   TCP   C:\WINNT\system32\svchost.exe
    > 8     System         ->  139   TCP
    > 8     System         ->  445   TCP
    > 516   MSTask         ->  1025  TCP   C:\WINNT\system32\MSTask.exe
    > 8     System         ->  1026  TCP
    > 8     System         ->  1723  TCP
    > 612   vsmon          ->  3002  TCP   C:\WINNT\system32\ZoneLabs\vsmon.exe
    > 472   svchost        ->  3006  TCP   C:\WINNT\System32\svchost.exe
    > 8     System         ->  3657  TCP
    > 8     System         ->  4629  TCP
    > 8     System         ->  4775  TCP
    >
    > 400   svchost        ->  135   UDP   C:\WINNT\system32\svchost.exe
    > 8     System         ->  137   UDP
    > 8     System         ->  138   UDP
    > 8     System         ->  445   UDP
    > 228   lsass          ->  500   UDP   C:\WINNT\system32\lsass.exe
    > 216   services       ->  1027  UDP   C:\WINNT\system32\services.exe
    > 472   svchost        ->  3001  UDP   C:\WINNT\System32\svchost.exe
    > 1276  RuLaunch       ->  3167  UDP   C:\Program Files\McAfee\McAfee Shared
    > Components\Instant Updater\RuLaunch.exe
    > 612   vsmon          ->  17985 UDP   C:\WINNT\system32\ZoneLabs\vsmon.exe
    > 612   vsmon          ->  17987 UDP   C:\WINNT\system32\ZoneLabs\vsmon.exe
    >
    > =========================  end of "fport /p" output
    > ==========================
    >
    >
    >
    >
    >
    > --------------------------------------------------------------------------
    --
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    >
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Nov 25 2002 - 09:35:47 PST