Hi, Over the past couple days I've noticed an increase in outgoing connections mostly to port 22226 and 22227 from my windows 2000 honeypot (no service packs or hot fixes applied). The source port of these connections is between 1033 and 1050. Today the destination ports were 509, 1466, 3019, 7140, 10919, 11030, 14859, 16710. All outbound connections are triggered via inbound conections to port 139 or/and 445. The attacker uses the IPC$ share to connect. Some of the "attackers" drop the file winhlpp32.exe (known from W32.HLLW.Gaobot.P worm) in the system32 directory, others kill the RPC-service. The size of the file varies from 3 kb to 55 kb. Most of the IP-addresses are dial-up connections. All connections to port 135 are blocked by the firewall. Has anybody else seen similar things? Sorry for my lame English. Gereon --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 08:36:59 PDT