Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange traffic...

From: Mark Tinberg <tinberg () securepipe com>
Date: Fri, 11 Jan 2002 22:08:17 -0600 (CST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 11 Jan 2002, John Oliver wrote:


I noticed one of my clients' machines seeing a lot more traffic than
normal.  tcpdump on the firewall got me stuff like:

13:27:20.932382 eth0 < skurup.datlab.bth.se.3509 > hostx.4059: .
487424:488884(1460) ack 1 win 17520 (DF)


[..snip..]


nmap for hostx says:

Starting nmap V. 2.53 by fyodor () insecure org ( www.insecure.org/nmap/ )
 Interesting ports on hostx (www.xxx.yyy.zzz):
(The 65512 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
80/tcp     open        http
99/tcp     open        metagram
135/tcp    open        loc-srv
139/tcp    open        netbios-ssn
443/tcp    open        https
808/tcp    open        unknown
881/tcp    open        unknown
1029/tcp   open        unknown
1081/tcp   open        unknown
1082/tcp   open        unknown
1083/tcp   open        ansoft-lm-1
1433/tcp   open        ms-sql-s
1720/tcp   filtered    unknown
2080/tcp   open        unknown
2429/tcp   open        unknown
4080/tcp   open        unknown
4899/tcp   open        unknown
5631/tcp   open        pcanywheredata
31333/tcp  open        unknown
44442/tcp  open        unknown
44443/tcp  open        unknown
65301/tcp  open        pcanywhere

Nmap run completed -- 1 IP address (1 host up) scanned in 212 seconds

Hostx is an NT Server 4.0 box, SP6a, running IIS, Cold Fusion, and some
other webhosting-related stuff.I'm not extremely familiar with NT, so
could use some thoughts here.




The sending host is probably comprimised.  They seem to have PCAnywhere
installed, but I would bet that one of the other ports is for annother
piece of remote-controll software 8^).  Looks like it has scads of DCE-RPC
services open and NetBIOS/SMB/CIFS, it's an easy target.

- -- 
Mark Tinberg <MTinberg () securepipe com>
Network Security Engineer, SecurePipe Inc.
Remember:  Wherever you go, there you are!
Key fingerprint = AF6B 0294 EE33 D802 F7A1  38A4 CF52 5FE0 7470 E5F7

        Your daily fortune . . .

You can rent this space for only $5 a week.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iEYEARECAAYFAjw/trIACgkQz1Jf4HRw5ff7DACgvTjXleYPrllrhZrf1Tr/6EdJ
mVYAmgPFM646GoRszA+j48Cqwbrf2a2l
=7jNd
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: