Security Incidents mailing list archives
Re: Strange traffic...
From: Mark Tinberg <tinberg () securepipe com>
Date: Fri, 11 Jan 2002 22:08:17 -0600 (CST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 11 Jan 2002, John Oliver wrote:
I noticed one of my clients' machines seeing a lot more traffic than normal. tcpdump on the firewall got me stuff like: 13:27:20.932382 eth0 < skurup.datlab.bth.se.3509 > hostx.4059: . 487424:488884(1460) ack 1 win 17520 (DF)
[..snip..]
nmap for hostx says: Starting nmap V. 2.53 by fyodor () insecure org ( www.insecure.org/nmap/ ) Interesting ports on hostx (www.xxx.yyy.zzz): (The 65512 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 80/tcp open http 99/tcp open metagram 135/tcp open loc-srv 139/tcp open netbios-ssn 443/tcp open https 808/tcp open unknown 881/tcp open unknown 1029/tcp open unknown 1081/tcp open unknown 1082/tcp open unknown 1083/tcp open ansoft-lm-1 1433/tcp open ms-sql-s 1720/tcp filtered unknown 2080/tcp open unknown 2429/tcp open unknown 4080/tcp open unknown 4899/tcp open unknown 5631/tcp open pcanywheredata 31333/tcp open unknown 44442/tcp open unknown 44443/tcp open unknown 65301/tcp open pcanywhere Nmap run completed -- 1 IP address (1 host up) scanned in 212 seconds Hostx is an NT Server 4.0 box, SP6a, running IIS, Cold Fusion, and some other webhosting-related stuff.I'm not extremely familiar with NT, so could use some thoughts here.
The sending host is probably comprimised. They seem to have PCAnywhere installed, but I would bet that one of the other ports is for annother piece of remote-controll software 8^). Looks like it has scads of DCE-RPC services open and NetBIOS/SMB/CIFS, it's an easy target. - -- Mark Tinberg <MTinberg () securepipe com> Network Security Engineer, SecurePipe Inc. Remember: Wherever you go, there you are! Key fingerprint = AF6B 0294 EE33 D802 F7A1 38A4 CF52 5FE0 7470 E5F7 Your daily fortune . . . You can rent this space for only $5 a week. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iEYEARECAAYFAjw/trIACgkQz1Jf4HRw5ff7DACgvTjXleYPrllrhZrf1Tr/6EdJ mVYAmgPFM646GoRszA+j48Cqwbrf2a2l =7jNd -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange traffic... John Oliver (Jan 11)
- Re: Strange traffic... Mark Tinberg (Jan 12)