Re: Strange port 135 probing, possibly a bot

[Doug Pearson <dodpears () INDIANA EDU>]

Jeff,

I can confirm that TCP 135 took a significant upswing 13-15 Nov on Abilene and has since dropped back to near "normal" 
levels. See the attached graph. Daily views of the stats are available at:
http://ren-isac.net/monitoring.cgi

I've passed you question re what-gives on to a group of ISAC and US-CERT analysts.

Doug Pearson
Research and Education Networking ISAC
24x7 Watch Desk: +1(317)278-6630, ren-isac () iu edu
http://www.ren-isac.net


At 03:36 PM 11/18/2004 -0500, Jeff Kell wrote:
> For the past few days we have had a dozen or two machines pop up with
> some as-yet-unidentified virus/worm/bot that appears to try to connect
> to random addresses in the same /8 subnet as the host on tcp/135.  I
> have seen no other traffic from these hosts.  I can't get a packet
> capture of any meaningful payload because the outgoing SYNs are being
> blocked by our access lists at the border.
>
> nmaps are not terribly consistent other than all apparently sharing
> tcp/113 being open.  Symantec AV with latest definitions doesn't find
> anything, nor does SpyBot, HijackThis, Stinger, or a number of other
> tools we have tried.  Our field crews have come up empty thus far and
> I'm waiting on an empty machine for forensics.  The startup registry
> entries didn't have any glowing sore thumbs, so the beast is well
> hidden, or installs as a wrapper to a legitimate service.
>
> I haven't seen anything posted about unusual tcp/135 activity, although
> there was an upswing in it according to DShield (before their database
> went belly-up).  Has anyone seen anything like this recently?
>
> Jeff Kell
> System/Network Security
> University of Tennessee at Chattanooga

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.