Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: scanning on port 901

From: Steve Worona <sworona () EDUCAUSE EDU>
Date: Wed, 25 Feb 2004 14:21:58 -0500
Being discussed on unisog; see below.
Steve
-----
At 2:10 PM -0500 2/25/04, Craig Blaha wrote:

Anyone else seeing this:

scanning of hosts on port 901.  I've seen over 100,000 attempts in 1
hour....

Thanks,
Craig Blaha
--

  *Craig Blaha*
  /Associate Director
  Information Policy, Security and Web Development/
  The College of New Jersey
  PO Box 7718
  Ewing, NJ 08628
  www.tcnj.edu

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.


-----
At 1:29 PM -0500 2/25/04, Hasan Khalil wrote:

Date: Wed, 25 Feb 2004 13:29:25 -0500
From: Hasan Khalil <Hasan.Khalil () uconn edu>
To: unisog () sans org
Subject: Re: [unisog] Virus?

I've seen numerous instances of the exact same thing (winampa.exe, port 901 scans) here on UConn's ResNet.

Hasan Khalil
ResNet Security
University of Connecticut

Goverts IV, Paul wrote:

This may or may not be related - this morning I found a (hidden) file
named winampa.exe under c:\windows\system32 on an XP Home PC.  Using the
2/24 defs, Symantec Antivirus is unable to identify it as anything.  It
is a 32.5k file, which appears to have been port-scanning machines on
Port 901 (Samba Swat) - has anyone seen this before?  We were able to
successfully shut down the service and removed the file.

Paul Goverts IV
Computer Services
St. John Fisher College
Rochester, NY 14618

-----Original Message-----
From: Brian Eckman [mailto:eckman () umn edu] Sent: Wednesday, February 18, 2004 2:36 PM
To: Jeff Nagel
Cc: unisog () sans org
Subject: Re: [unisog] Virus?

Jeff Nagel wrote:


Here is what I found after spending some time with an infected


machine.  In


C:\Winnt\System32 there are two files, winampa.exe and


winampa.exe.poly


which are both 226K.  There is also a service installed called Win


leoahder.


In the registry in HKLM\Software\Microsoft\Windows\Current Version\Run


and


Run Services there is a key named win leoahder.  I deleted the two


registry


keys and the two files and I was able run regedit as well Norton. Not


sure


if this was a virus a worm or some spyware.



It's a new variant of Gaobot. I sent one in to Symantec today. It should

be in their definitions tomorrow.

When I deleted the two registry entries and rebooted (using a lab machine), it put the registry entires back before 
the reboot occured, so

I was not able to remove it via that method. I was not able to end process on the winampa.exe process (access denied 
error), and was not able to manually stop the Service either (access denied error).

Just a note: If you nmap a machine that has Gaobot (or you suspect has Gaobot), try telnetting to any obscure high 
numbered open port that you find. Typically, a machine infected with Gaobot will have one of the open ports throw a 
binary stream at you upon connecting to it. I use netcat to connect to that port and output the stream to a file (nc 
-v ip.address.here port > bot.exe). Then I open that file in a hex editor and remove the first four bytes, and save 
it. That gives me a working copy of the Gaobot worm that host is infected with.

Another random port that is opened by Gaobot will return a "220 Welcome to the Bot FTP Service" or something just 
like that.

I have recently noticed that several variants of Gaobot (including the one that you mention) were trying to access 
10.0.1.128:6667. That IP address isn't in use on our network (it might be a lookup for an old IRC

server at lar.ath.cx). Might be one way to look for more Gaobot infections on your campus.


Brian


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: