Hi Emeric Analyzing the PC, it does not seem it's infected by Opaserv. There is no suspicious file with *scr* anywhere. Still, like you said, wht's worrying is that the PC is responding to the port probes. Apparently traffic to port 137 is blocked - so maybe it's penetrating from another port, of from an allowed program; but the PC is responding, which means SOMETHING inside is listening, then responding (very quickly). Also, when the Internet is on-line, the explorer and svchost processes are constantly active, with I/O of 25-30 kbps. This ceases when I go offf-line. Can anyone help? Thanks in advance Moshe --------------------- Original Message ----- -------------------------------- From: Emeric Miszti To: Moshe Aelion Cc: incidents @ security focus Sent: Saturday, November 16, 2002 12:59 PM Subject: Re: Help - a possible bot Hi Moshe, What you are seeing with the incoming port 137 UDP requests is probably the Opeserv worm. Have a look at http://antivirus.about.com/library/weekly/aa100102a.htm. Everyone is seeing a lot of these at the moment and if you have a look at http://isc.incidents.org/ then you will see that port 137 is far and away the most attacked port at the moment. You can easily identify this kind of activity because the source port of normal UDP 137 traffic is 137 and the destination is port 137. With the worm activity the source port becomes something above 1024 with the destination as 137. Looking at your fport traces, etc it doesn't look like your PC is infected by Opaserv but what is worrying is that you may be responding to the port probes, thus making you a target for further attack and that may explain the high usage on svchost! Make sure that you are not infected by Opaserv by checking through the details provided by anti-virus companies such as http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.htm l Since the PC has been previously hacked I would be very suspicious anyway and wouldn't rely on the firewall doing its job properly. Dameware is a total remote control package so anything could have been installed. Personally I would rebuild the PC and then install a good firewall on a clean box. That is the only way you can ever be 100% sure you are clean. Regards -- Emeric Miszti UK Security Online http://www.uksecurityonline.com Tel No: 0870 088 5689 Fax No: 0870 706 2162 PGP Public Key available at http://www.uksecurityonline.com/emeric.asc On Fri, 2002-11-15 at 20:11, Moshe Aelion wrote: > Hi everybody > > Two weeks ago, the NAT/ICMP computer on our LAN got compromised; the hacked > installed DameWare and was trying to work on the computer. It was discovered > within about 10 minutes. I then installed ZoneAlarm Pro. > > The problem is, I am detecting a suspicious hit/respond activity, which, in > my opinion, points to an active bot. Here's the evidence: when inspecting ZA > logs, you can see a blocked scan (coming every couple of minutes, from > arbitrary addresses - I bet they're spoofed - and soon after, the computer > responds with a (blocked) attempt to communicated with that address. This > points to an active bot (in my opinion), since, although ZA claims it > blocked the incoming attempt, the computer immediately tries to respond - > therefore SOMETHING inside did get a message. > > I did a lot of port blocking, foundation fport tracking, netstat -an, and > couldn't find anything extraordinary. I installed PestPatrol and Trojan > Remover, they discovered nothing. (Except fport which I used). The > "HKEY_localmachine_software...Microsoft\...currentversion\run" registry key > doesn't show anything suspicious. > > I do notice, though, that svchost is unusually active - doing about 25k > read/write I/O per second, with nothing running. > I did a lot of port blocking and couldn't stop the hit/response phenomenon. > I also stopped several processes and services and the phenomenon didn't > stop. > > I'm attaching here the ZA log. The incoming attempt and the response are > denoted with "<--". > > I'm also attaching the netstat -an and fport scan outputs. > > Thanking any assistance in advance > > Moshe > > ========================== ZA log ======================= > 1 FWIN, 21:55:54, 66.139.182.144:1065, my.net.237.99:137,UDP <-- > 2 FWOUT, 21:55:56, my.net.237.99:1025, 66.139.182.144:137,UDP <-- > 3 FWIN, 21:58:18, 213.9.242.122:1029, my.net.237.99:137,UDP <-- > 4 FWOUT, 21:58:18, my.net.237.99:1025, 213.9.242.122:137,UDP <-- > 5 FWIN, 21:59:54, 192.168.0.5: 138, 192.168.0.255:138,UDP > 6 FWIN, 22:00:38, 212.179.237.86:1026, my.net.237.99:137,UDP > 7 FWIN, 22:00:38, 212.179.209.67: 0, my.net.237.99:0,ICMP > (type:8/subtype:0) > 8 ACCESS,22:01:52,RuLaunch blocked from connecting to Internet > (216.49.88.100:HTTP) > 9 FWIN, 22:02:04, 64.231.129.73:1030, my.net.237.99:137,UDP > 10 FWIN, 22:02:44, 61.228.26.161:1027, my.net.237.99:137,UDP > 11 FWIN, 22:02:56, 62.94.131.238:3375, my.net.237.99:6588,TCP (flags:S) > 12 FWIN, 22:07:34, 200.76.64.2:62695, my.net.237.99:137,UDP <-- > 13 FWOUT, 22:07:40, my.net.237.99:1025, 200.76.64.2:137,UDP <-- > 14 ACCESS,22:07:52,RuLaunch blocked from connecting to Internet > (216.49.88.100:HTTP) > 15 FWIN, 22:09:02, 200.67.76.211:1026, my.net.237.99:137,UDP > 16 FWIN, 22:10:40,140.186.157.226:6522, my.net.237.99:137,UDP <-- > 17 FWOUT, 22:10:40, my.net.237.99:1025, 140.186.157.226:137,UDP <-- > 18 FWIN, 22:10:58, 12.22.205.3:10647, my.net.237.99:137,UDP <-- > 19 FWOUT, 22:10:58, my.net.237.99:1025, 12.22.205.3:137,UDP <-- > 20 FWIN, 22:11:46, 68.67.228.47:1132, my.net.237.99:137,UDP > 21 ACCESS,22:11:54,RuLaunch blocked from connecting to Internet > (216.49.88.100:HTTP) > 22 FWIN, 22:12:14, 200.75.14.169:1025, my.net.237.99:137,UDP <-- > 23 FWOUT, 22:12:16, my.net.237.99:1025, 200.75.14.169:137,UDP <-- > 24 FWIN, 22:12:20, 80.235.53.242:30150, my.net.237.99:137,UDP > 25 FWIN, 22:13:44, 200.56.237.243:1026, my.net.237.99:137,UDP > 26 FWIN, 22:13:52, 64.110.231.28:1025, my.net.237.99:137,UDP > 27 ACCESS,22:13:54,RuLaunch blocked from connecting to Internet > (216.49.88.100:HTTP) > 28 FWIN, 22:15:40, 200.63.158.210:1025, my.net.237.99:137,UDP > 29 FWIN, 22:17:10, 203.99.155.122:1027, my.net.237.99:137,UDP > 30 FWIN, 22:19:16, 166.114.241.42:1037, my.net.237.99:137,UDP <-- > 31 FWOUT, 22:19:16, my.net.237.99:1025, 166.114.241.42:137,UDP <-- > 32 FWIN, 22:21:28, 161.132.196.30:1027, my.net.237.99:137,UDP > 33 ACCESS,22:21:54,RuLaunch blocked from connecting to Internet > (216.49.88.100:HTTP) > 34 FWIN, 22:22:04, 209.86.1.157:1029, my.net.237.99:137,UDP > ========================= end of ZA log ================================== > > Note: the 10.0.0.1:3028 to 10.0.0.138:1723 link is the ADSL pptp. > > ========================= "netstat -an" > output============================== > > Active Connections > > Proto Local Address Foreign Address State > TCP 0.0.0.0:135 0.0.0.0:0 LISTENING > TCP 0.0.0.0:445 0.0.0.0:0 LISTENING > TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING > TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING > TCP 0.0.0.0:1723 0.0.0.0:0 LISTENING > TCP 0.0.0.0:3006 0.0.0.0:0 LISTENING > TCP 0.0.0.0:3028 0.0.0.0:0 LISTENING > TCP 10.0.0.1:3028 10.0.0.138:1723 ESTABLISHED > TCP 10.0.0.1:7732 0.0.0.0:0 LISTENING > TCP 192.168.0.1:139 0.0.0.0:0 LISTENING > TCP 192.168.0.1:3002 0.0.0.0:0 LISTENING > TCP 192.168.0.1:3003 0.0.0.0:0 LISTENING > TCP 192.168.0.1:3004 0.0.0.0:0 LISTENING > TCP 192.168.0.1:14810 0.0.0.0:0 LISTENING > TCP my.net.217.125:13145 0.0.0.0:0 LISTENING > UDP 0.0.0.0:135 *:* > UDP 0.0.0.0:445 *:* > UDP 0.0.0.0:1027 *:* > UDP 0.0.0.0:3001 *:* > UDP 0.0.0.0:3239 *:* > UDP 0.0.0.0:3240 *:* > UDP 10.0.0.1:500 *:* > UDP 10.0.0.1:6979 *:* > UDP 192.168.0.1:53 *:* > UDP 192.168.0.1:67 *:* > UDP 192.168.0.1:68 *:* > UDP 192.168.0.1:137 *:* > UDP 192.168.0.1:138 *:* > UDP 192.168.0.1:500 *:* > UDP 192.168.0.1:10900 *:* > UDP 192.168.0.1:17985 *:* > UDP 192.168.0.1:17987 *:* > UDP my.net.217.125:500 *:* > UDP my.net.217.125:9504 *:* > ========================= end of "netstat -an" output > ========================= > > ========================= "fport /p" output > ========================== > FPort v1.33 - TCP/IP Process to Port Mapper > Copyright 2000 by Foundstone, Inc. > > Pid Process Port Proto Path > 400 svchost -> 135 TCP C:\WINNT\system32\svchost.exe > 8 System -> 139 TCP > 8 System -> 445 TCP > 516 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe > 8 System -> 1026 TCP > 8 System -> 1723 TCP > 612 vsmon -> 3002 TCP C:\WINNT\system32\ZoneLabs\vsmon.exe > 472 svchost -> 3006 TCP C:\WINNT\System32\svchost.exe > 8 System -> 3657 TCP > 8 System -> 4629 TCP > 8 System -> 4775 TCP > > 400 svchost -> 135 UDP C:\WINNT\system32\svchost.exe > 8 System -> 137 UDP > 8 System -> 138 UDP > 8 System -> 445 UDP > 228 lsass -> 500 UDP C:\WINNT\system32\lsass.exe > 216 services -> 1027 UDP C:\WINNT\system32\services.exe > 472 svchost -> 3001 UDP C:\WINNT\System32\svchost.exe > 1276 RuLaunch -> 3167 UDP C:\Program Files\McAfee\McAfee Shared > Components\Instant Updater\RuLaunch.exe > 612 vsmon -> 17985 UDP C:\WINNT\system32\ZoneLabs\vsmon.exe > 612 vsmon -> 17987 UDP C:\WINNT\system32\ZoneLabs\vsmon.exe > > ========================= end of "fport /p" output > ========================== > > > > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Nov 25 2002 - 09:35:47 PST