[Moderators - I'm cross-posting b/c this message was originally sent to both lists] David Kennedy CISSP wrote: > I can Google as well as anybody and know about Samba-SWAT and Realsecure's > use of this port. That doesn't explain the increase in probes. Most are > 0-byte connects. IP's from here look like home users, some dial-up, some > broadbands. > The mystery is what's behind the surge and what it's after. Dshield shows an increase in traffic destined for this port since 5/22. (One other spike around 4/19). We too have seen an increase in scanning for port 901 across our IDS customers in the same time period. http://isc.incidents.org/port_details.html?port=901 It appears that this activity represents traffic looking for SWAT rather than an attack on RealSecure. I say this b/c of several factors. First, there have been several recent well-publicized and potentially serious remote vulnerabilities in Samba. Second, attackers often perform broad scanning to identify vulnerable hosts before releasing a new worm to "seed" the initial attacks so that they will spread more quickly. Third, there was also some coordinated recon from 209/8 that appeared to be looking for Samba after the recent vulns came out in April. http://marc.theaimsgroup.com/?t=105081475300003&r=1&w=2 One helpful post states the following: "Closer examination of the sources reveal that they are all what look like default installations of Linux (Redhat in particular). We believe this may be a new worm (or scanning tool) to look for/exploit the recent samba vulnerabilities. We think the point of the syn/fin packets are to determine whether the remote host has port 139 open, and whether the host is running windows (with netbios-ssn open), or is a linux machine running samba. Most stateful inspection firewalls will drop these SYN/Fin packets, but they are a clever way to determine the OS of an unfirewalled host. The fact that the source port of these packets is 139 is highly suspicious as well." These two instances of recon may be related. The vulnerabilities in Samba may somehow affect SWAT (unlikely - purely conjecture). Or people may be looking to exploit weak/null passwords on SWAT so they can go in and open up the Samba configuration. Or perhaps they are trying to look for Samba installations in a non-obvious manner (as Ken McKinlay suggested). It may not be a new worm, but could be a precursor to one. This may also just be evidence of coordinated scanning with a similar tool. Can you tell us the source of this activity? Do you have full packet dumps? Thanks! Jason Falciola Information Security Analyst IBM Managed Security Services falciolaat_private ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jun 10 2003 - 13:19:02 PDT