RE: TCP 445 Scan?

From: Thompson, Jason (Jason.Thompsonat_private)
Date: Thu Mar 06 2003 - 06:17:41 PST
Next message: Bronek Kozicki: "Re: sending out spam through IRC server ?"
Previous message: Johannes Ullrich: "Re: TCP 445 Scan?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Actually while setting up a honeypot, I got it infected with a trojan, which
I am going to analyze shortly. After 4.5 hours of being on the net, I was
hit on port 445, and after the infection took place, the machine began
spamming out packets on port 445 to IP addresses incrementing the 4th octet
(24.222.5.6, 24.222.5.7, 24.222.5.8, etc). The scans were pretty quick. A
short time later I was getting traffic from my machine destined to a remote
machine on port 6667, so it is likely that it is some kind of IRC trojan
like Backdoor.IRC.Zcrew or something. I'm not cleaning it until I'm finished
the analysis.

The interesting thing is I had a similar thing happen to a client's PC at
the office last week, and I had to clean that as well. It was infected with
Backdoor.IRC.Zcrew. I believe incidents.org mentioned that this trojan (or
trojans like it) are back on the rise.

		-Jason

-----Original Message-----
From: Brian McWilliams [mailto:brian@pc-radio.com] 
Sent: March 4, 2003 16:00
To: Charles Hamby; incidentsat_private
Subject: Re: TCP 445 Scan?


Maybe it's this new worm?

http://www.viruslist.com/eng/viruslist.html?id=59741


Worm.Win32.Randon

Randon is a Virus-Worm distributed via IRC-channels and LANs with shared 
resources.

When executed this worm installs its components into the subdirectory zxz 
and/or zx in the Windows system directory and registers its main file and 
the mIRC client in the Windows registry auto-run key (below):

HKLM\\Software\Microsoft\Windows\CurrentVersion\Run\updateWins

Randon then executes the above key and hides the process via the 
HideWIndows utility. Randon connects to the IRC-server and executes its 
scripts. In addition to DDoS attacks and IRC channel flooding, Randon scans 
port 445 of other IRC clients.

[snip]

At 01:25 PM 2/27/2003, Charles Hamby wrote:


>Morning/Afternoon All,
>
>Has anyone else recently been pegged with a large number of distributed 
>TCP 445 scans over a short amount of time (within a few minutes)?  A 
>couple of days ago I was hit by roughly 60+ scans in a short amount of 
>time; when I waded through it it wound up being about 45 unique IP 
>address all looking for TCP 445.  Below is an excerpt from my fireall 
>log (Netscreen).  Has anyone else been seeing these sorts of scans 
>lately? I've only seen the one scan, so I haven't had a chance to 
>capture any more traffic.
>
>-CDH
>
>
>2003-2-23 23:05:52 Deny  213.51.247.114->W.X.Y.Z  0 sec TCP PORT 445 
>2003-2-23 23:05:49 Deny  213.51.247.114->W.X.Y.Z  0 sec TCP PORT 445
>2003-2-23 23:05:36 Deny  213.51.21.143->W.X.Y.Z   0 sec TCP PORT 445
>2003-2-23 23:05:33 Deny  213.51.21.143->W.X.Y.Z   0 sec TCP PORT 445
>2003-2-23 23:05:30 Deny  12.242.204.86->W.X.Y.Z   0 sec TCP PORT 445
>2003-2-23 23:05:27 Deny  12.242.204.86->W.X.Y.Z   0 sec TCP PORT 445
>2003-2-23 23:05:23 Deny  62.253.118.133->W.X.Y.Z  0 sec TCP PORT 445 
>2003-2-23 23:05:21 Deny  65.163.177.202->W.X.Y.Z  0 sec TCP PORT 445 
>2003-2-23 23:05:20 Deny  62.253.118.133->W.X.Y.Z  0 sec TCP PORT 445
>2003-2-23 23:05:19 Deny  217.1.167.84->W.X.Y.Z    0 sec TCP PORT 445
>2003-2-23 23:05:18 Deny  65.163.177.202->W.X.Y.Z  0 sec TCP PORT 445 
>2003-2-23 23:05:18 Deny  12.231.241.129->W.X.Y.Z  0 sec TCP PORT 445
>2003-2-23 23:05:18 Deny  24.66.39.214->W.X.Y.Z    0 sec TCP PORT 445
>2003-2-23 23:05:17 Deny  12.229.115.40->W.X.Y.Z   0 sec TCP PORT 445
>2003-2-23 23:05:16 Deny  62.190.172.203->W.X.Y.Z  0 sec TCP PORT 445
>2003-2-23 23:05:16 Deny  217.1.167.84->W.X.Y.Z    0 sec TCP PORT 445
>2003-2-23 23:05:16 Deny  217.162.202.177->W.X.Y.Z 0 sec TCP PORT 445 
>2003-2-23 23:05:16 Deny  217.162.183.155->W.X.Y.Z 0 sec TCP PORT 445 
>2003-2-23 23:05:15 Deny  12.231.241.129->W.X.Y.Z  0 sec TCP PORT 445
>2003-2-23 23:05:15 Deny  24.66.39.214->W.X.Y.Z    0 sec TCP PORT 445
>2003-2-23 23:05:14 Deny  141.153.232.196->W.X.Y.Z 0 sec TCP PORT 445
>2003-2-23 23:05:14 Deny  12.229.115.40->W.X.Y.Z   0 sec TCP PORT 445
>2003-2-23 23:05:14 Deny  12.231.161.15->W.X.Y.Z   0 sec TCP PORT 445
>2003-2-23 23:05:13 Deny  217.162.7.16->W.X.Y.Z    0 sec TCP PORT 445
>2003-2-23 23:05:13 Deny  62.190.172.203->W.X.Y.Z  0 sec TCP PORT 445 
>2003-2-23 23:05:13 Deny  12.242.250.247->W.X.Y.Z  0 sec TCP PORT 445 
>2003-2-23 23:05:13 Deny  217.162.202.177->W.X.Y.Z 0 sec TCP PORT 445
>
>-----------------------------------------------------------------------
>-----
>
><Pre>Lose another weekend managing your IDS?
>Take back your personal time.
>15-day free trial of StillSecure Border Guard.</Pre>
><A href="http://www.securityfocus.com/stillsecure">
>http://www.securityfocus.com/stillsecure </A>


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure">
http://www.securityfocus.com/stillsecure </A>


------------------------- 
This e-mail communication (including any or all attachments) is intended
only for the use of the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you are not the intended
recipient of this e-mail, any use, review, retransmission,  distribution,
dissemination, copying, printing, or other use of, or taking of any action
in reliance upon this e-mail, is strictly prohibited. If you have received
this e-mail in error, please contact the sender and delete the original and
any copy of this e-mail and any printout thereof, immediately. Your
co-operation is appreciated. 

Le present courriel (y compris toute piece jointe) s'adresse uniquement a
son destinataire, qu'il soit une personne ou un organisme, et pourrait
comporter des renseignements privilegies ou confidentiels. Si vous n'etes
pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de
retransmettre, de distribuer, de disseminer, de copier ou d'imprimer ce
courriel, d'agir en vous y fiant ou de vous en servir de toute autre facon.
Si vous avez recu le present courriel par erreur, priere de communiquer avec
l'expediteur et d'eliminer l'original du courriel, ainsi que toute copie
electronique ou imprimee de celui-ci, immediatement. Nous sommes
reconnaissants de votre collaboration. 


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Next message: Bronek Kozicki: "Re: sending out spam through IRC server ?"
Previous message: Johannes Ullrich: "Re: TCP 445 Scan?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Thu Mar 06 2003 - 08:59:34 PST