Security Incidents mailing list archives

Probes to previously accessed FTPs and UNCs in XP

From: "Eric Weaver" <eric.weaver () ids2 net>
Date: Tue, 9 Apr 2002 01:55:29 -0700


Re: POSSIBLE WORM / DDOS

Sorry for the delayed response.

I have concluded that this activity is caused by another Microsoft
misfeature.  (Weather it is a virus or not, XP is caching previously
accessed url/unc somewhere, leaving these hosts/shares potential victims for
a virus/worm)

Findings:

Upon access to certain local directories of the "hot" machine (E:\,
E:\download\ ). Windows (XP Pro), causes orderly probing to previously
accessed ftp url & unc's. (This explains the many samba queries after the
FTP attempts)

The following caused the network activity:

Start/ Run / E:\ <cr>
Start/ Run / E:\download <cr>


I searched through the local registry for the targeted IP's & sharenames
(also search for possible aliases)  but was unable to find anything.  I
deleted the temporary internet cache, history, etc. Rebooted.  Machine still
caused same network activity.

Reapplying generic-folder-options to the directories that were "triggering"
this activity seemed to fix the problem.

I wonder where Microsoft is storing this information?  Those directories did
not have any abnormal/hidden files.  Odd.

Someone mentioned this may be ACEBot or GTBot.  I found no traces of these
Trojans.

I have not ruled out a virus.

The fact that this happens in regular windows explorer (not shortcut/link
inside a browser) worries me.


Thanks for everyone's $0.02.

_______________________________
Eric Weaver

tcpdump:

06:29:17.078874 10.2.2.241.1890 > 204.152.189.113.21: S
3272713560:3272713560(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:29:20.081771 10.2.2.241.1891 > 204.152.189.113.21: S
3273527112:3273527112(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:29:23.087434 10.2.2.241.1892 > 209.250.0.132.21: S
3274340020:3274340020(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:29:26.089861 10.2.2.241.1893 > 209.250.0.132.21: S
3275149251:3275149251(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:29:29.301291 10.2.2.241.1028 > 10.2.2.14.53:  161+ A?
hawking.res.cmu.edu. (37)
06:29:29.302121 10.2.2.14.53 > 10.2.2.241.1028:  161 NXDomain 0/1/0 (118)
(DF)
06:30:29.836128 10.2.2.241.1938 > 198.133.219.27.21: S
3293275935:3293275935(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:30:32.782191 10.2.2.241.1939 > 62.243.72.50.21: S
3294076486:3294076486(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:30:35.786356 10.2.2.241.1940 > 129.128.5.191.21: S
3294859714:3294859714(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:30:38.690326 10.2.2.241.1941 > 66.26.238.15.21: S
3295637385:3295637385(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:30:51.775416 10.2.2.241.1956 > 204.152.189.113.21: S
3299451469:3299451469(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:30:54.804154 10.2.2.241.1957 > 216.10.106.189.21: S
3300252651:3300252651(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:30:57.712465 10.2.2.241.1958 > 204.152.189.113.21: S
3301052975:3301052975(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:31:00.716285 10.2.2.241.1959 > 204.152.189.113.21: S
3301854583:3301854583(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:31:03.721980 10.2.2.241.1960 > 209.250.0.132.21: S
3302638469:3302638469(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:31:06.725382 10.2.2.241.1961 > 209.250.0.132.21: S
3303448449:3303448449(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:31:13.857898 10.2.2.241.1984 > 206.100.24.34.21: S
3306270291:3306270291(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:31:16.836273 10.2.2.241.1985 > 206.100.24.34.21: S
3307075111:3307075111(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:32:02.060208 10.2.2.241.2004 > 198.133.219.27.21: S
3319333584:3319333584(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:32:05.056510 10.2.2.241.2005 > 62.243.72.50.21: S
3320119259:3320119259(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:32:08.009097 10.2.2.241.2006 > 129.128.5.191.21: S
3320930893:3320930893(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:32:11.013294 10.2.2.241.2007 > 66.26.238.15.21: S
3321738567:3321738567(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:32:23.459155 10.2.2.241.2024 > 204.152.189.113.21: S
3325545579:3325545579(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:32:26.462660 10.2.2.241.2025 > 216.10.106.189.21: S
3326338384:3326338384(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:32:29.433905 10.2.2.241.2026 > 204.152.189.113.21: S
3327134151:3327134151(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:32:32.436725 10.2.2.241.2027 > 204.152.189.113.21: S
3327941671:3327941671(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:32:35.443518 10.2.2.241.2028 > 209.250.0.132.21: S
3328724549:3328724549(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:32:38.444911 10.2.2.241.2029 > 209.250.0.132.21: S
3329535547:3329535547(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
06:32:45.491534 10.2.2.241.2052 > 206.100.24.34.21: S
3332310269:3332310269(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Probes to previously accessed FTPs and UNCs in XP Eric Weaver (Apr 09)
- <Possible follow-ups>
- RE: Probes to previously accessed FTPs and UNCs in XP Information Security (Apr 09)
- Re: Probes to previously accessed FTPs and UNCs in XP Matt Scarborough (Apr 14)