Security Incidents mailing list archives

RE: Stopping information leakage

From: "Jerry Shenk" <jshenk () decommunications com>
Date: Tue, 13 May 2003 16:58:33 -0400
It's even worse than tracking who came by....that will cause the victim to
pass NetBIOS authentication information to the host site (210.222.4.129).
The victim site could be sniffing all NetBIOS traffic and then replay it and
collect it with L0phtcrack and crack the password hashes.

I would agree that this points to the value of egress filtering.....in a BIG
way!

I've been recommending html to text mail conversions but sometimes people
like their html e-mail just a bit too much.....I just turned it off for one
client this AM;(

-----Original Message-----
From: Stark, Vernon L. [mailto:Vern.Stark () jhuapl edu]
Sent: Tuesday, May 13, 2003 12:33 PM
To: 'incidents () securityfocus com'
Subject: Stopping information leakage


        I recently spotted several of our hosts attempting to contact a host
in Korea primarily on TCP ports 139 and 445.  We believe we've run this to
ground.  Our analysis suggests this is due to a news site that has probably
had their web page hacked.  The web page contains the following source code:

<img src=file://210.222.4.129/web.jpg>

Packets captured from one of our hosts indicate that almost immediately
after receiving this content, the host attempts to contact host
210.222.4.129 on port 445 and then on port 139.  Various hosts involved have
also used ports TCP 21 and UDP 137.  According to www.apnic.net,
210.222.4.129 is assigned to the Korea Network Information Center.  When I
e-mailed the owner of the web site, he promptly called me.  He indicated
that he had removed the content shown above and it later reappeared.

        This content at least gives the attacker the ability to see who
visits the web site.  Depending upon the web site with the hacked content,
this may provide the attacker with the ability to harvest a very useful
member list.  Moreover, if ports 139 and 445 are not blocked outbound,
additional information leakage can result since the Korean host (when last
tested) will gladly accept connections on port 139.  A host can report host
name, operating system, domain name, etc.  This emphasizes the importance of
having a policy that denies all traffic except that required.  Such a policy
will generally deny outbound traffic on ports 139 and 445 since this traffic
is generally only appropriate on the intranet.

        The following Snort rules have been used to track this particular
traffic:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Content 210.222.4.129
spotted.  Korean port 139 host."; content:"210.222.4.129"; )

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"Content 210.222.4.129
spotted.  Korean port 139 host."; content:"210.222.4.129"; )

alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"Outgoing port 139
activity"; )

alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"Outgoing port 445
activity"; )

Vern Stark, GCIA, GSEC
JHU/APL

Any opinions expressed are mine and may not reflect those of my employer.



----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown
enterprise WLANs.

To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------



----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------
Current thread:

Stopping information leakage Stark, Vernon L. (May 13)
- RE: Stopping information leakage Jerry Shenk (May 13)
- <Possible follow-ups>
- RE: Stopping information leakage Jerry Shenk (May 13)
- RE: Stopping information leakage James C. Slora, Jr. (May 14)