Security Incidents mailing list archives
Re: new scanner tool or blind luck?
From: George Bakos <alpinista () BIGFOOT COM>
Date: Thu, 14 Sep 2000 15:22:28 -0400
Agreed. network.vbs attempts to map to the remote c: share and would, as it is calling native netbios functions, do as you said. The very helpful admins at a particularly helpful ISP's NOC isolated two machines that were responsible for this traffic. Each of them came up positive for QAZ and network.vbs. Has anyone got any poop on QAZ scanning capabilities and propagation mechanism? Another trace to chew on: 10:15:48.528735 bad.guy.net.138.3674 > my.net.162.139: S 501372074:501372074(0) win 8192 (ttl 52, id 44153) 10:15:51.457527 bad.guy.net.138.3674 > my.net.162.139: S 501372074:501372074(0) win 8192 (ttl 52, id 44665) 10:15:55.529851 bad.guy.net.138.3675 > my.net.163.139: S 501379076:501379076(0) win 8192 (ttl 52, id 44921) 10:15:57.456302 bad.guy.net.138.3674 > my.net.162.139: S 501372074:501372074(0) win 8192 (ttl 52, id 45433) 10:15:58.454895 bad.guy.net.138.3675 > my.net.163.139: S 501379076:501379076(0) win 8192 (ttl 52, id 45689) 10:16:04.454613 bad.guy.net.138.3675 > my.net.163.139: S 501379076:501379076(0) win 8192 (ttl 52, id 46201) 10:16:09.453368 bad.guy.net.138.3674 > my.net.162.139: S 501372074:501372074(0) win 8192 (ttl 52, id 46713) 10:16:16.451132 bad.guy.net.138.3675 > my.net.163.139: S 501379076:501379076(0) win 8192 (ttl 52, id 47737) 10:16:44.598461 bad.guy.net.138.3682 > my.net.170.139: S 501428089:501428089(0) win 8192 (ttl 52, id 52089) 10:16:47.514230 bad.guy.net.138.3682 > my.net.170.139: S 501428089:501428089(0) win 8192 (ttl 52, id 52601) 10:16:53.512321 bad.guy.net.138.3682 > my.net.170.139: S 501428089:501428089(0) win 8192 (ttl 52, id 53369) 10:17:05.509700 bad.guy.net.138.3682 > my.net.170.139: S 501428089:501428089(0) win 8192 (ttl 52, id 54905) 10:19:04.676916 bad.guy.net.138.3702 > my.net.190.139: S 501568128:501568128(0) win 8192 (ttl 52, id 7290) 10:19:05.151120 bad.guy.net.138.3702 > my.net.190.139: S 501568128:501568128(0) win 8192 (ttl 52, id 7546) 10:19:05.652165 bad.guy.net.138.3702 > my.net.190.139: S 501568128:501568128(0) win 8192 (ttl 52, id 7802) 10:19:06.152070 bad.guy.net.138.3702 > my.net.190.139: S 501568128:501568128(0) win 8192 (ttl 52, id 8058) On 14 Sep 00, at 8:37, Randy Mclean wrote:
network.vbs will normally have a netbios port for both the source and destination ports. If I remember correctly the code in the vbs file calls the netbios functions with UNC's, thus limiting its source port to netbios(example of UNC \\55.55.55.55\c$). This looks like a scan using a scanner or a different trojan that doesn't use the windows netbios functions to find windows shares. My 2 cents
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "If you can't make it good, make it look good." - Bill Gates George Bakos alpinista () bigfoot com
Current thread:
- new scanner tool or blind luck? T. Esting (Sep 13)
- Re: new scanner tool or blind luck? Thierry (Sep 13)
- Re: new scanner tool or blind luck? Ken Armstrong (Sep 14)
- Re: new scanner tool or blind luck? Thomas Molina (Sep 14)
- Re: new scanner tool or blind luck? Harlan S. Barney, Jr. (Sep 14)
- Re: new scanner tool or blind luck? Josh Brandt (Sep 14)
- Re: new scanner tool or blind luck? George Bakos (Sep 14)
- Re: new scanner tool or blind luck? Randy Mclean (Sep 14)
- Re: new scanner tool or blind luck? George Bakos (Sep 14)
- Re: new scanner tool or blind luck? Randy Mclean (Sep 14)
- Re: new scanner tool or blind luck? Randy Mclean (Sep 14)
- <Possible follow-ups>
- Re: new scanner tool or blind luck? T. Esting (Sep 14)