Educause Security Discussion mailing list archives

Re: Strange port 135 probing, possibly a bot

From: "Wayne J. Hauber" <wjhauber () IASTATE EDU>
Date: Thu, 18 Nov 2004 16:34:24 -0600

At 03:26 PM 11/18/2004, Steven Alexander wrote:

The SysInternals'  Process Explorer will tell you everything that is
running on the system and what files, registry keys and DLLs each process
is using:

<http://www.sysinternals.com/ntw2k/freeware/procexp.shtml>http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

SysInternals' TCP View will tell you which processes are connected to each
TCP/UDP endpoint on the system:

<http://www.sysinternals.com/ntw2k/source/tcpview.shtml>http://www.sysinternals.com/ntw2k/source/tcpview.shtml


If you have a system that is not revealing the trojan software, you may
have "hide-out" software as well as a trojan. Try capturing some of the
file activity to see if you can locate the trojan.

Yesterday, I discovered several systems at ISU that were obviously
compromised by the IRC crowd but were using a "hide out" tool that is
similar to hackdefender. One of the systems was a server that the owner
desperately wanted to clean. This system was so thoroughly blocked that
tcpview could not see the port even though I could see it remotely with
nmap. Netstat could not display the port either. All of the trojan files
were hidden as well. When I ultimately found the files, Windows Explorer
could not display them. None of the usual AV software and anti-spyware
software could see the tools either.

I ultimately captured a few seconds of file activity with file monitor from
sysinternals.

http://www.sysinternals.com/ntw2k/source/filemon.shtml

in that log I found activity that illuminated the path to the trojans, egg
drop scripts and more. It appeared that the hide-out software did not block
file monitor.

When you find the directory that the hide-out software is using, you will
find that the only way to inspect it is a command prompt. Apparently, the
cd command can't be blocked by hide-out software. You can "cd" to the
directory and find the tools.

Once I found the tools and tried to xcopy them to my system, McAfee
VirusScan identified one of the programs as "hideout". It was revealed to
the onaccess scanner during the copy.

I hope this helps.

Steven Alexander
Programmer Analyst
Merced College
-----Original Message-----
From: Jeff Kell [mailto:jeff-kell () UTC EDU]
Sent: Thursday, November 18, 2004 12:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Strange port 135 probing, possibly a bot

For the past few days we have had a dozen or two machines pop up with
some as-yet-unidentified virus/worm/bot that appears to try to connect
to random addresses in the same /8 subnet as the host on tcp/135.  I
have seen no other traffic from these hosts.  I can't get a packet
capture of any meaningful payload because the outgoing SYNs are being
blocked by our access lists at the border.

nmaps are not terribly consistent other than all apparently sharing
tcp/113 being open.  Symantec AV with latest definitions doesn't find
anything, nor does SpyBot, HijackThis, Stinger, or a number of other
tools we have tried.  Our field crews have come up empty thus far and
I'm waiting on an empty machine for forensics.  The startup registry
entries didn't have any glowing sore thumbs, so the beast is well
hidden, or installs as a wrapper to a legitimate service.

I haven't seen anything posted about unusual tcp/135 activity, although
there was an upswing in it according to DShield (before their database
went belly-up).  Has anyone seen anything like this recently?

Jeff Kell
System/Network Security
University of Tennessee at Chattanooga

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at
<http://www.educause.edu/groups/>http://www.educause.edu/groups/.

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit
<http://www.messagelabs.com/email>http://www.messagelabs.com/email
______________________________________________________________________

********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/groups/.



Wayne Hauber (515) 294-9890
Network Information & Microcomputer Network Services
Office of Academic Information Technologies
109 Durham Center, ISU, Ames, Iowa 50011
wjhauber () iastate edu

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Re: Strange port 135 probing, possibly a bot Christian Grewell (Nov 17)
- <Possible follow-ups>
- Strange port 135 probing, possibly a bot Jeff Kell (Nov 18)
- Re: Strange port 135 probing, possibly a bot Peter Moody (Nov 18)
- Re: Strange port 135 probing, possibly a bot Doug Pearson (Nov 18)
- Re: Strange port 135 probing, possibly a bot Steven Alexander (Nov 18)
- Re: Strange port 135 probing, possibly a bot Bob Kehr (Nov 18)
- Re: Strange port 135 probing, possibly a bot Wayne J. Hauber (Nov 18)