Educause Security Discussion mailing list archives
Re: Strange port 135 probing, possibly a bot
From: "Wayne J. Hauber" <wjhauber () IASTATE EDU>
Date: Thu, 18 Nov 2004 16:34:24 -0600
At 03:26 PM 11/18/2004, Steven Alexander wrote:
The SysInternals' Process Explorer will tell you everything that is running on the system and what files, registry keys and DLLs each process is using: <http://www.sysinternals.com/ntw2k/freeware/procexp.shtml>http://www.sysinternals.com/ntw2k/freeware/procexp.shtml SysInternals' TCP View will tell you which processes are connected to each TCP/UDP endpoint on the system: <http://www.sysinternals.com/ntw2k/source/tcpview.shtml>http://www.sysinternals.com/ntw2k/source/tcpview.shtml
If you have a system that is not revealing the trojan software, you may have "hide-out" software as well as a trojan. Try capturing some of the file activity to see if you can locate the trojan. Yesterday, I discovered several systems at ISU that were obviously compromised by the IRC crowd but were using a "hide out" tool that is similar to hackdefender. One of the systems was a server that the owner desperately wanted to clean. This system was so thoroughly blocked that tcpview could not see the port even though I could see it remotely with nmap. Netstat could not display the port either. All of the trojan files were hidden as well. When I ultimately found the files, Windows Explorer could not display them. None of the usual AV software and anti-spyware software could see the tools either. I ultimately captured a few seconds of file activity with file monitor from sysinternals. http://www.sysinternals.com/ntw2k/source/filemon.shtml in that log I found activity that illuminated the path to the trojans, egg drop scripts and more. It appeared that the hide-out software did not block file monitor. When you find the directory that the hide-out software is using, you will find that the only way to inspect it is a command prompt. Apparently, the cd command can't be blocked by hide-out software. You can "cd" to the directory and find the tools. Once I found the tools and tried to xcopy them to my system, McAfee VirusScan identified one of the programs as "hideout". It was revealed to the onaccess scanner during the copy.
I hope this helps. Steven Alexander Programmer Analyst Merced College -----Original Message----- From: Jeff Kell [mailto:jeff-kell () UTC EDU] Sent: Thursday, November 18, 2004 12:36 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Strange port 135 probing, possibly a bot For the past few days we have had a dozen or two machines pop up with some as-yet-unidentified virus/worm/bot that appears to try to connect to random addresses in the same /8 subnet as the host on tcp/135. I have seen no other traffic from these hosts. I can't get a packet capture of any meaningful payload because the outgoing SYNs are being blocked by our access lists at the border. nmaps are not terribly consistent other than all apparently sharing tcp/113 being open. Symantec AV with latest definitions doesn't find anything, nor does SpyBot, HijackThis, Stinger, or a number of other tools we have tried. Our field crews have come up empty thus far and I'm waiting on an empty machine for forensics. The startup registry entries didn't have any glowing sore thumbs, so the beast is well hidden, or installs as a wrapper to a legitimate service. I haven't seen anything posted about unusual tcp/135 activity, although there was an upswing in it according to DShield (before their database went belly-up). Has anyone seen anything like this recently? Jeff Kell System/Network Security University of Tennessee at Chattanooga ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at <http://www.educause.edu/groups/>http://www.educause.edu/groups/. ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit <http://www.messagelabs.com/email>http://www.messagelabs.com/email ______________________________________________________________________ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Wayne Hauber (515) 294-9890 Network Information & Microcomputer Network Services Office of Academic Information Technologies 109 Durham Center, ISU, Ames, Iowa 50011 wjhauber () iastate edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Strange port 135 probing, possibly a bot Christian Grewell (Nov 17)
- <Possible follow-ups>
- Strange port 135 probing, possibly a bot Jeff Kell (Nov 18)
- Re: Strange port 135 probing, possibly a bot Peter Moody (Nov 18)
- Re: Strange port 135 probing, possibly a bot Doug Pearson (Nov 18)
- Re: Strange port 135 probing, possibly a bot Steven Alexander (Nov 18)
- Re: Strange port 135 probing, possibly a bot Bob Kehr (Nov 18)
- Re: Strange port 135 probing, possibly a bot Wayne J. Hauber (Nov 18)