Security Incidents mailing list archives
Re: TCP port 5000 syn increasing
From: "Bob" <bob () catch23 kicks-ass net>
Date: Sun, 23 May 2004 21:32:37 -0400
It looks like it to me. The rootkits I found may have been initiated by some variety of bobax. I found some other interesting things, if I find anything that seems significant, I'll send it along. ----- Original Message ----- From: "Kelly, Lee" <kellyl () fortrex com> To: "Bob" <bob () catch23 kicks-ass net>; <incidents () securityfocus com> Sent: Thursday, May 20, 2004 7:27 PM Subject: RE: TCP port 5000 syn increasing
Someone may have already put forth this so I apologize for the redundancy.
This sounds like the bobax virus described by Symantec at http://securityresponse.symantec.com/avcenter/venc/data/w32.bobax.b.html
-----Original Message----- From: Bob [mailto:bob () catch23 kicks-ass net] Sent: Thu 5/20/2004 2:01 PM To: incidents () securityfocus com Cc: Subject: Re: TCP port 5000 syn increasing I have noticed the TCP port 5000's also, and I'm getting a fair amount
from
the same IP's on 445 TCP. Thinking there may be a connection, I returned
the
call on a few of the IP's that are knocking on my door on 5000 and 445, checking for a few common ports. I saw a lot of TCP ports 21 and 113, port 21 consistently said "220 FTP Server ready". Anonymous login works, and working directory was always "C:/TEMP", with full read access to C:/. In that directory is d0r1t1s.exe, so naturally I RETR it. It's an SFX, looks like a IRC rootkit, built on HackerDefender, I googled for some of the filenames in the SFX and found http://www.windowsbbs.com/showthread.php?p=158096#post158096 I'm wondering if it doesn't initially get dropped by http://www.lurhq.com/bobax.html or some similar thing. I assume something new on the IRC-Warez thing. Lets find out more. I list files and sort by date, to find the running kit, found many variants had dropped various dirs with arbirtary names in /system32, kits found. I grab
a
few. What I found is a multi-functional rootkit, uses many tools to do
it's
work, uses X-focus's X-scan, dumps usernames and PW's to HTML files named from the corresponding IP. It uses a renamed psexec.exe from Winternals,
and
common to them also seems to be what looks like an IRC bouncer of which
the
various mutations that I have seem to have one thing in common, they all
try
to connect to different IP addresses at q8hell.org. I'm out of time right now, I'll dig deeper into this later if anyone is interested. ----- Original Message ----- From: "Steven Trewick" <STrewick () joplings co uk> To: "'Frank Knobbe'" <frank () knobbe us>; "Paul Schmehl"
<pauls () utdallas edu>
Cc: <incidents () securityfocus com> Sent: Wednesday, May 19, 2004 7:08 AM Subject: RE: TCP port 5000 syn increasingThat begs the question if it isn't becoming useless nowadays to count port scans.IMHO it has *never* been sufficient to simply count and analyse probes by port. It is simply not possible to identify network traffic in this way. A probe on tcp 139 could be a worm, a misconfigured XP box, a sKiddie running nmap, frankly it cold be anything.Perhaps we should focus instead on catching the worms and providepayload,or payload hashes.Yes, an excellent idea, if I see unusual tcp probes at my borders, I usually at least hook up a quick netcat listener to see if anything appears, obviously UDP traffic can be logged straight off the wire. This is really a minimum of info to collect (and its still an awful lot). Counting probes will give you nothing but largely meaningless numbers.Otherwise, how would you pick up the new strain of SQL slammer
amongst
all the existing SQL port scans?You wouldn't. Because you simply wouldn't know what you were looking at. The ability to say "12.53 % of unsolicited traffic at my network border is directed at tcp port 25" tells you absolutely nothing until you know why that traffic is arriving, and what the traffic contains. Port 25 for instance could be spam, could be a sendmail exploit, could be a misconfigured mail server somewhere, could be legit mail, could be a worm using a sendmail exploit to spread (and send spam, blended threat, see ?) $LOCAL_CURRENCY 0.02 '-) </code> The information contained in this e-mail is confidential and may beprivileged, it is intended for the addressee only. If you have received
this
e-mail in error please delete it from your system. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group operates
an
e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by viruses being passed.joplings.co.uk-------------------------------------------------------------------------- -Free 30-day trial: firewall with virus/spam protection, URL filtering,VPN,wireless security Protect your network against hackers, viruses, spam and other risks withAstaroSecurity Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total
cost
ofownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040517-------------------------------------------------------------------------- ----------------------------------------------------------------------------
-
Free 30-day trial: firewall with virus/spam protection, URL filtering,
VPN,
wireless security Protect your network against hackers, viruses, spam and other risks with
Astaro
Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost
of
ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040517 --------------------------------------------------------------------------
--
Current thread:
- Re: TCP port 5000 syn increasing, (continued)
- Re: TCP port 5000 syn increasing Harlan Carvey (May 19)
- RE: TCP port 5000 syn increasing Nick FitzGerald (May 19)
- RE: TCP port 5000 syn increasing Nick FitzGerald (May 19)
- RE: TCP port 5000 syn increasing Paul Schmehl (May 19)
- RE: TCP port 5000 syn increasing Steven Trewick (May 18)
- RE: [Securityfocus-incidents] RE: TCP port 5000 syn increasing Remko Lodder (May 18)
- RE: TCP port 5000 syn increasing Steven Trewick (May 19)
- Re: TCP port 5000 syn increasing Bob (May 20)
- RE: TCP port 5000 syn increasing Meidinger Chris (May 21)
- Re: TCP port 5000 syn increasing Valdis . Kletnieks (May 21)
- Re: TCP port 5000 syn increasing Bob (May 25)