Re: Worm activity/port 445

[Peter Charbonneau <Peter.Charbonneau () WILLIAMS EDU>]

I am also seeing quite a number of infected machines.  In our case port
113 is not open.  In ALL cases, according to NMAP, uPnP is open and the
machines are not patched higher than XP/SP1.  It's been a while since I
worried about uPnP - I guess my question, here, is ... Is uPnP still a
vector for infection?  Or, is it just that SP2 hasn't been installed
that is the real culprit?  Or, am I really asking the same thing?

I have blocked all the standard crap at the firewall:

block in quick on xl0 from any to any port = 69
block in quick on xl0 from any to any port = 81
block in quick on xl0 from any to any port = 113
block in quick on xl0 from any to any port = 135
block in quick on xl0 from any to any port = 137
block in quick on xl0 from any to any port = 139
block in quick on xl0 from any to any port = 445
block in quick on xl0 from any to any port = 1025
block in quick on xl0 from any to any port = 1080
block in quick on xl0 from any to any port = 1433
block in quick on xl0 from any to any port = 1434
block in quick on xl0 from any to any port = 2745
block in quick on xl0 from any to any port = 3067
block in quick on xl0 from any to any port = 3127
block in quick on xl0 from any to any port = 3410
block in quick on xl0 from any to any port = 4444
block in quick on xl0 from any to any port = 5000
block in quick on xl0 from any to any port = 5554
block in quick on xl0 from any to any port = 6129
block in quick on xl0 from any to any port = 6667
block in quick on xl0 from any to any port = 6668
block in quick on xl0 from any to any port = 6669
block in quick on xl0 from any to any port = 6670
block in quick on xl0 from any to any port = 7000
block in quick on xl0 from any to any port = 8192
block in quick on xl0 from any to any port = 9900
block in quick on xl0 from any to any port = 9996


Here is an NMAP scan of the machine:

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2005-02-07
07:41 EST
Initiating SYN Stealth Scan against williams-220-56.williams.edu
(137.165.220.56) [1660 ports] at 07:41
Discovered open port 427/tcp on 137.165.220.56
Discovered open port 3689/tcp on 137.165.220.56
Discovered open port 5000/tcp on 137.165.220.56
Discovered open port 1026/tcp on 137.165.220.56
The SYN Stealth Scan took 3.79s to scan 1660 total ports.
For OSScan assuming that port 427 is open and port 1 is closed and
neither are firewalled
Insufficient responses for TCP sequencing (1), OS detection may be less
accurate
Host williams-220-56.williams.edu (137.165.220.56) appears to be up ...
good.
Interesting ports on williams-220-56.williams.edu (137.165.220.56):
(The 1652 ports scanned but not shown below are in state: closed)
PORT     STATE    SERVICE
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
427/tcp  open     svrloc
445/tcp  filtered microsoft-ds
1025/tcp filtered NFS-or-IIS
1026/tcp open     LSA-or-nterm
3689/tcp open     rendezvous
5000/tcp open     UPnP
Device type: general purpose
Running: Microsoft Windows 95/98/ME|NT/2K/XP
OS details: Microsoft Windows NT 3.51 SP5, NT 4.0 or 95/98/98SE,
Microsoft Windows Millennium Edition (Me), Windows 2000 Professional or
Advanced Server, or Windows XP, Microsoft Windows XP SP1

Nmap run completed -- 1 IP address (1 host up) scanned in 5.730 seconds


P

On Feb 4, 2005, at 5:24 PM, Mark Wilson wrote:

> In many cases, we have also found port 113/tcp open on these *Bot
> systems so you may wish to scan for open port 113/tcp on your network.
> Those windows systems may that have this port open are probably
> compromised with the BOT.
> http://isc.sans.org//show_comment.php?id=506
>
> I routinely scan for port 113/tcp and use an expect script to telnet to
> port 113.
>
> If you get something like the below, the host is possibly being
> controlled by a BOTnet:
>
> spawn /bin/bash
> spawn telnet 131.x.x 113
> Trying 131.204.x.x...
> Connected to 131.204.x.x.
> Escape character is '^]'.
>
> 1374, 6667 : USERID : UNIX : nrwev
>
>
>
> Mark Wilson
> GCIA, CISSP #53153
> Network Security Specialist
> Auburn University
> (334) 844-9347
>
> > > > blaha () TCNJ EDU 2/4/2005 1:54:52 PM >>>
> We're seeing a lot of 445 scanning and an increasing rate of infection
> -
> users complaining about a wide array of pop-ups, redirects and other
> spyware type symptoms, slowing their systems to a crawl.
>
> Anyone else seeing something similar?
>
> Craig
> --
>
>     *Craig Blaha*
>     /Associate Director
>     Information Policy, Security and Web Development/
>     The College of New Jersey
>     PO Box 7718
>     Ewing, NJ 08628
>     www.tcnj.edu
>
> --------------------------------------------------------------
> Reminder: E-mail sent through the Internet is not secure.
> Do not use e-mail to send confidential information
> such as credit card numbers, changes of address, PIN
> numbers, passwords, or other important information.
> Your e-mail message is not private in
> that it is subject to review by the College, its officers,
> agents and employees.
> --------------------------------------------------------------
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/groups/.
>
> **********
> Participation and subscription information for this EDUCAUSE
> Discussion Group discussion list can be found at
> http://www.educause.edu/groups/.
> <Mark Wilson.vcf>


PeteC

Peter Charbonneau
Sr. Network and Systems Administrator
Williams College
(413) 597-3408 (desk)
(413) 822-2922 (cell)

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.