Educause Security Discussion mailing list archives
Re: Worm activity/port 445
From: Peter Charbonneau <Peter.Charbonneau () WILLIAMS EDU>
Date: Mon, 7 Feb 2005 07:57:49 -0500
I am also seeing quite a number of infected machines. In our case port 113 is not open. In ALL cases, according to NMAP, uPnP is open and the machines are not patched higher than XP/SP1. It's been a while since I worried about uPnP - I guess my question, here, is ... Is uPnP still a vector for infection? Or, is it just that SP2 hasn't been installed that is the real culprit? Or, am I really asking the same thing? I have blocked all the standard crap at the firewall: block in quick on xl0 from any to any port = 69 block in quick on xl0 from any to any port = 81 block in quick on xl0 from any to any port = 113 block in quick on xl0 from any to any port = 135 block in quick on xl0 from any to any port = 137 block in quick on xl0 from any to any port = 139 block in quick on xl0 from any to any port = 445 block in quick on xl0 from any to any port = 1025 block in quick on xl0 from any to any port = 1080 block in quick on xl0 from any to any port = 1433 block in quick on xl0 from any to any port = 1434 block in quick on xl0 from any to any port = 2745 block in quick on xl0 from any to any port = 3067 block in quick on xl0 from any to any port = 3127 block in quick on xl0 from any to any port = 3410 block in quick on xl0 from any to any port = 4444 block in quick on xl0 from any to any port = 5000 block in quick on xl0 from any to any port = 5554 block in quick on xl0 from any to any port = 6129 block in quick on xl0 from any to any port = 6667 block in quick on xl0 from any to any port = 6668 block in quick on xl0 from any to any port = 6669 block in quick on xl0 from any to any port = 6670 block in quick on xl0 from any to any port = 7000 block in quick on xl0 from any to any port = 8192 block in quick on xl0 from any to any port = 9900 block in quick on xl0 from any to any port = 9996 Here is an NMAP scan of the machine: Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2005-02-07 07:41 EST Initiating SYN Stealth Scan against williams-220-56.williams.edu (137.165.220.56) [1660 ports] at 07:41 Discovered open port 427/tcp on 137.165.220.56 Discovered open port 3689/tcp on 137.165.220.56 Discovered open port 5000/tcp on 137.165.220.56 Discovered open port 1026/tcp on 137.165.220.56 The SYN Stealth Scan took 3.79s to scan 1660 total ports. For OSScan assuming that port 427 is open and port 1 is closed and neither are firewalled Insufficient responses for TCP sequencing (1), OS detection may be less accurate Host williams-220-56.williams.edu (137.165.220.56) appears to be up ... good. Interesting ports on williams-220-56.williams.edu (137.165.220.56): (The 1652 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 427/tcp open svrloc 445/tcp filtered microsoft-ds 1025/tcp filtered NFS-or-IIS 1026/tcp open LSA-or-nterm 3689/tcp open rendezvous 5000/tcp open UPnP Device type: general purpose Running: Microsoft Windows 95/98/ME|NT/2K/XP OS details: Microsoft Windows NT 3.51 SP5, NT 4.0 or 95/98/98SE, Microsoft Windows Millennium Edition (Me), Windows 2000 Professional or Advanced Server, or Windows XP, Microsoft Windows XP SP1 Nmap run completed -- 1 IP address (1 host up) scanned in 5.730 seconds P On Feb 4, 2005, at 5:24 PM, Mark Wilson wrote:
In many cases, we have also found port 113/tcp open on these *Bot systems so you may wish to scan for open port 113/tcp on your network. Those windows systems may that have this port open are probably compromised with the BOT. http://isc.sans.org//show_comment.php?id=506 I routinely scan for port 113/tcp and use an expect script to telnet to port 113. If you get something like the below, the host is possibly being controlled by a BOTnet: spawn /bin/bash spawn telnet 131.x.x 113 Trying 131.204.x.x... Connected to 131.204.x.x. Escape character is '^]'. 1374, 6667 : USERID : UNIX : nrwev Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347blaha () TCNJ EDU 2/4/2005 1:54:52 PM >>>We're seeing a lot of 445 scanning and an increasing rate of infection - users complaining about a wide array of pop-ups, redirects and other spyware type symptoms, slowing their systems to a crawl. Anyone else seeing something similar? Craig -- *Craig Blaha* /Associate Director Information Policy, Security and Web Development/ The College of New Jersey PO Box 7718 Ewing, NJ 08628 www.tcnj.edu -------------------------------------------------------------- Reminder: E-mail sent through the Internet is not secure. Do not use e-mail to send confidential information such as credit card numbers, changes of address, PIN numbers, passwords, or other important information. Your e-mail message is not private in that it is subject to review by the College, its officers, agents and employees. -------------------------------------------------------------- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. <Mark Wilson.vcf>
PeteC Peter Charbonneau Sr. Network and Systems Administrator Williams College (413) 597-3408 (desk) (413) 822-2922 (cell) ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Worm activity/port 445 Craig Blaha (Feb 04)
- <Possible follow-ups>
- Re: Worm activity/port 445 Matt Kirchhoff (Feb 04)
- Re: Worm activity/port 445 Kevin Pait (Feb 04)
- Re: Worm activity/port 445 Eric van Wiltenburg (Feb 04)
- Re: Worm activity/port 445 Gary Flynn (Feb 04)
- Re: Worm activity/port 445 Mark Wilson (Feb 04)
- Re: Worm activity/port 445 Peter Charbonneau (Feb 07)
- Re: Worm activity/port 445 Joseph Vieira (Feb 07)
- Re: Worm activity/port 445 Valdis Kletnieks (Feb 07)
- Re: Worm activity/port 445 Yantis, Jonathan Lindsey (Feb 07)
- Re: Worm activity/port 445 James Riden (Feb 07)