Security Incidents mailing list archives

Re: Worm on 445/tcp?

From: Ryan Yagatich <ryany () pantek com>
Date: Tue, 17 Dec 2002 20:41:58 -0500 (EST)

Not sure if I follow with that one, per the following:
Dec  8 05:24:28 delta kernel: Rejected:IN=ppp0 OUT= MAC= SRC=68.67.164.72 
DST=216.144.8.165 LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=6970 DF PROTO=TCP 
SPT=4042 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
Dec  8 05:24:31 delta kernel: Rejected:IN=ppp0 OUT= MAC= SRC=68.67.164.72 
DST=216.144.8.165 LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=7018 DF PROTO=TCP 
SPT=4042 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
Dec  8 05:24:37 delta kernel: Rejected:IN=ppp0 OUT= MAC= SRC=68.67.164.72 
DST=216.144.8.165 LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=7043 DF PROTO=TCP 
SPT=4042 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
Dec  8 15:40:19 delta kernel: Rejected:IN=ppp0 OUT= MAC= SRC=4.62.187.134 
DST=216.144.8.191 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=34489 DF PROTO=TCP 
SPT=3857 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
Dec  8 15:40:22 delta kernel: Rejected:IN=ppp0 OUT= MAC= SRC=4.62.187.134 
DST=216.144.8.191 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=34701 DF PROTO=TCP 
SPT=3857 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
Dec  8 15:40:28 delta kernel: Rejected:IN=ppp0 OUT= MAC= SRC=4.62.187.134 
DST=216.144.8.191 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=35014 DF PROTO=TCP 
SPT=3857 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0

my second octect is 144, above the 127 rule. but, unless you are reading 
backwards (and the second being the third and the fourth being the first)
then the 216 is still above the 127 rule... Then again, i may have missed 
part of the posts and spt could be originating from 445 as well, which in 
that case this could be just regular network rejects as usual.



,_____________________________________________________,
\ Ryan Yagatich                     support () pantek com \
/ Pantek Incorporated                  (877) LINUX-FIX /
\ http://www.pantek.com                 (440) 519-1802 \
/                                                      /
\___E8354282324E636DB5FF7B8A6EDED51FD02C06C68D3DB695___\

On Tue, 17 Dec 2002, Stephen J. Friedl wrote:

Scott A.McIntyre wrote:

<SNIP>


The scanning pattern *is* random, though with a twist. It uses the 
rand() function twice to create a random IP address, but this function 
only has 15 bits of pseudorandomness. The upshot is that the second and 
fourth octets of the IP address will always be in the range 0..127. So 
my IP at home (64.170.X.X) won't ever get any hits.


</SNIP>


Steve




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Worm on 445/tcp? Scott A . McIntyre (Dec 17)
- Re: Worm on 445/tcp? Scott Fendley (Dec 17)
- Re: Worm on 445/tcp? Joe Blatz (Dec 17)
  - Re: Worm on 445/tcp? james (Dec 17)
- Re: Worm on 445/tcp? Stephen J. Friedl (Dec 17)
  - Re: Worm on 445/tcp? Ryan Yagatich (Dec 18)
- <Possible follow-ups>
- RE: Worm on 445/tcp? OBrien, Brennan (Dec 17)
- Re: Worm on 445/tcp? Tom . Gast (Dec 17)
- Re: Worm on 445/tcp? Stephen Friedl (Dec 18)
- Re: Worm on 445/tcp? Kyle Lai (Dec 20)