Educause Security Discussion mailing list archives
Re: scanning on port 901
From: Steve Worona <sworona () EDUCAUSE EDU>
Date: Wed, 25 Feb 2004 14:21:58 -0500
Being discussed on unisog; see below. Steve ----- At 2:10 PM -0500 2/25/04, Craig Blaha wrote:
Anyone else seeing this: scanning of hosts on port 901. I've seen over 100,000 attempts in 1 hour.... Thanks, Craig Blaha -- *Craig Blaha* /Associate Director Information Policy, Security and Web Development/ The College of New Jersey PO Box 7718 Ewing, NJ 08628 www.tcnj.edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
----- At 1:29 PM -0500 2/25/04, Hasan Khalil wrote:
Date: Wed, 25 Feb 2004 13:29:25 -0500 From: Hasan Khalil <Hasan.Khalil () uconn edu> To: unisog () sans org Subject: Re: [unisog] Virus? I've seen numerous instances of the exact same thing (winampa.exe, port 901 scans) here on UConn's ResNet. Hasan Khalil ResNet Security University of Connecticut Goverts IV, Paul wrote:This may or may not be related - this morning I found a (hidden) file named winampa.exe under c:\windows\system32 on an XP Home PC. Using the 2/24 defs, Symantec Antivirus is unable to identify it as anything. It is a 32.5k file, which appears to have been port-scanning machines on Port 901 (Samba Swat) - has anyone seen this before? We were able to successfully shut down the service and removed the file. Paul Goverts IV Computer Services St. John Fisher College Rochester, NY 14618 -----Original Message----- From: Brian Eckman [mailto:eckman () umn edu] Sent: Wednesday, February 18, 2004 2:36 PM To: Jeff Nagel Cc: unisog () sans org Subject: Re: [unisog] Virus? Jeff Nagel wrote:Here is what I found after spending some time with an infectedmachine. InC:\Winnt\System32 there are two files, winampa.exe andwinampa.exe.polywhich are both 226K. There is also a service installed called Winleoahder.In the registry in HKLM\Software\Microsoft\Windows\Current Version\RunandRun Services there is a key named win leoahder. I deleted the tworegistrykeys and the two files and I was able run regedit as well Norton. Notsureif this was a virus a worm or some spyware.It's a new variant of Gaobot. I sent one in to Symantec today. It should be in their definitions tomorrow. When I deleted the two registry entries and rebooted (using a lab machine), it put the registry entires back before the reboot occured, so I was not able to remove it via that method. I was not able to end process on the winampa.exe process (access denied error), and was not able to manually stop the Service either (access denied error). Just a note: If you nmap a machine that has Gaobot (or you suspect has Gaobot), try telnetting to any obscure high numbered open port that you find. Typically, a machine infected with Gaobot will have one of the open ports throw a binary stream at you upon connecting to it. I use netcat to connect to that port and output the stream to a file (nc -v ip.address.here port > bot.exe). Then I open that file in a hex editor and remove the first four bytes, and save it. That gives me a working copy of the Gaobot worm that host is infected with. Another random port that is opened by Gaobot will return a "220 Welcome to the Bot FTP Service" or something just like that. I have recently noticed that several variants of Gaobot (including the one that you mention) were trying to access 10.0.1.128:6667. That IP address isn't in use on our network (it might be a lookup for an old IRC server at lar.ath.cx). Might be one way to look for more Gaobot infections on your campus. Brian
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- scanning on port 901 Craig Blaha (Feb 25)
- <Possible follow-ups>
- Re: scanning on port 901 Jeni Li (Feb 25)
- Re: scanning on port 901 Niedens, Travis (Feb 25)
- Re: scanning on port 901 Steve Worona (Feb 25)
- Re: scanning on port 901 Craig Blaha (Feb 25)
- Re: scanning on port 901 Niedens, Travis (Feb 25)
- Re: scanning on port 901 Daniel Medina (Feb 25)
- Re: scanning on port 901 Brian Eckman (Feb 25)