Re: Port: 27374 asp

["Forrester, Mike" <mforrester () HSACORP NET>]

We see a lot of Sub7 scans from both our customers and the Internet.  I'd
read carefully before you try installing it.  I've heard of difficulties in
removing it so make sure you are aware of what it does before you install
it.

I'm hoping to mess around with it on an isolated test system to mess with it
soon.

BTW - If you're having problems with anyone from 24.216.0.0 or 24.240.0.0,
send sections of your logs to abuse () hsacorp net and we'll look into it.

Mike Forrester - Systems Security Engineer
HSA Corp - Denver, CO USA

-----Original Message-----
From: Max0r
To: INCIDENTS () SECURITYFOCUS COM
Sent: 8/18/00 5:45 AM
Subject: Re: Port: 27374   asp

Port 27374 is used by the latest (2.1) release of the Sub7 trojan.
This trojan infects windows 9x/NT hosts.
The main distribution site for Sub7 is, sub7.slak.org. I suggest
downloading the client, and trying to connect to yourself.
If you _can_ connect to yourself without a password, you can remove
the trojan with the click of a mouse. Otherwise, try your antivirus
software.

-Max



On Thu, 17 Aug 2000, Tom Fischer wrote:

> veral
> adresses. I'm not afraid about that but don't know what services use
this
> port. I thought about a trojan but can't find anything. Can anybody
> tell something or explain me what services use 27374.
>
> Thx
>
> Tom Fischer
>
> From owner-incidents () SECURITYFOCUS COM  Fri Aug 18 02:03:05 2000
> Return-Path: <owner-incidents () SECURITYFOCUS COM>
> Received: from lists.securityfocus.com (lists.securityfocus.com
[207.126.127.68])
>       by server5.creative-webs.com (8.9.3/8.9.3) with ESMTP id
CAA06877
>       for <max0r () SERVER5 CREATIVE-WEBS COM>; Fri, 18 Aug 2000 02:03:05
-0600
> Received: from lists.securityfocus.com (lists.securityfocus.com
[207.126.127.68])
>       by lists.securityfocus.com (Postfix) with ESMTP
>       id 7A3D72128B; Thu, 17 Aug 2000 23:36:41 -0700 (PDT)
> Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
>           (LISTSERV-TCP/IP release 1.8d) with spool id 11715029 for
>           INCIDENTS () LISTS SECURITYFOCUS COM; Thu, 17 Aug 2000 23:36:22
-0700
> Approved-By: aleph1 () SECURITYFOCUS COM
> Delivered-To: incidents () lists securityfocus com
> Received: from securityfocus.com (mail.securityfocus.com
[207.126.127.78]) by
>           lists.securityfocus.com (Postfix) with SMTP id 8AB0C1F22D
for
>           <incidents () lists securityfocus com>; Wed, 16 Aug 2000
06:39:16 -0700
>           (PDT)
> Received: (qmail 11849 invoked by alias); 16 Aug 2000 13:40:07 -0000
> Delivered-To: INCIDENTS () SECURITYFOCUS COM
> Received: (qmail 11846 invoked from network); 16 Aug 2000 13:40:07
-0000
> Received: from c014-h023.c014.sfo.cp.net (HELO c014.sfo.cp.net)
(209.228.12.87)
>           by mail.securityfocus.com with SMTP; 16 Aug 2000 13:40:07
-0000
> Received: (cpmta 2372 invoked from network); 16 Aug 2000 06:39:14
-0700
> Received: from 3ff82a41.dsl.flashcom.net (HELO SentelleD)
(63.248.42.65) by
>           smtp.flashcom.net with SMTP; 16 Aug 2000 06:39:14 -0700
> X-Sent: 16 Aug 2000 13:39:14 GMT
> MIME-Version: 1.0
> Content-Type: text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
> Importance: Normal
> Message-ID:  <CBELLIBIKDHENCIBFJFMKEJKCDAA.CompuVeg () Columbus RR Com>
> Date:         Wed, 16 Aug 2000 09:36:27 -0400
> Reply-To: Computer Vegetable <CompuVeg () COLUMBUS RR COM>
> Sender: Incidents Mailing List <INCIDENTS () SECURITYFOCUS COM>
> From: Computer Vegetable <CompuVeg () COLUMBUS RR COM>
> Subject:      Sniffer on my network
> To: INCIDENTS () SECURITYFOCUS COM
> Status: RO
> X-Status:
> X-Keywords:
> X-UID: 27
>
> At my office I've recently installed a network monitoring package
called
> LanGuard.  One of the things this tool does is find network sniffers
on your
> network.  I didn't expect to see any, but as it turns out one of our
> workstations is showing up as a sniffer.
>
> I am unable to find any processes running on the machine with
unidentifiable
> sources.  I'm also unable to find any known Trojans or other viruses
on that
> machine.  The only odd thing that I have found is that anytime a
network
> cable is plugged into the workstation in question, the address
13.10.15.10
> shows up IMMEDIATELY in the ARP.
>
> Has anyone seen anything like this?  ARIN says the address is owned by
Xerox
> PARC, who's admin says that IP is theirs, but not currently in use.
>
> Thanks
>
> From owner-vuln-dev () SECURITYFOCUS COM  Fri Aug 18 02:19:38 2000
> Return-Path: <owner-vuln-dev () SECURITYFOCUS COM>
> Received: from lists.securityfocus.com (lists.securityfocus.com
[207.126.127.68])
>       by server5.creative-webs.com (8.9.3/8.9.3) with ESMTP id
CAA07696
>       for <max0r () SERVER5 CREATIVE-WEBS COM>; Fri, 18 Aug 2000 02:19:37
-0600
> Received: from lists.securityfocus.com (lists.securityfocus.com
[207.126.127.68])
>       by lists.securityfocus.com (Postfix) with ESMTP
>       id 8AAD123514; Fri, 18 Aug 2000 00:33:18 -0700 (PDT)
> Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
>           (LISTSERV-TCP/IP release 1.8d) with spool id 11718849 for
>           VULN-DEV () LISTS SECURITYFOCUS COM; Fri, 18 Aug 2000 00:32:47
-0700
> Approved-By: BlueBoar () THIEVCO COM
> Delivered-To: vuln-dev () lists securityfocus com
> Received: from securityfocus.com (mail.securityfocus.com
[207.126.127.78]) by
>           lists.securityfocus.com (Postfix) with SMTP id 3E6E01EEBE
for
>           <vuln-dev () lists securityfocus com>; Thu, 17 Aug 2000
20:32:54 -0700
>           (PDT)
> Received: (qmail 18887 invoked by alias); 18 Aug 2000 03:33:47 -0000
> Delivered-To: VULN-DEV () SECURITYFOCUS COM
> Received: (qmail 18884 invoked from network); 18 Aug 2000 03:33:46
-0000
> Received: from fep4-orange.clear.net.nz (203.97.32.4) by
mail.securityfocus.com
>           with SMTP; 18 Aug 2000 03:33:46 -0000
> Received: from nick (b001-m003-p043.chch.clear.net.nz
[203.167.204.107]) by
>           fep4-orange.clear.net.nz (1.5/1.7) with SMTP id PAA00723;
Fri, 18 Aug
>           2000 15:32:42 +1200 (NZST)
> MIME-Version: 1.0
> Content-type: text/plain; charset=US-ASCII
> Content-transfer-encoding: 7BIT
> Priority: normal
> X-mailer: Pegasus Mail for Win32 (v2.53/R1)
> Message-ID:  <200008180332.PAA00723 () fep4-orange clear net nz>
> Date:         Fri, 18 Aug 2000 15:32:47 +1200
> Reply-To: nick () virus-l demon co uk
> Sender: VULN-DEV List <VULN-DEV () SECURITYFOCUS COM>
> Comments:     Authenticated sender is
>               <nick () virus-l demon co uk@pop3.demon.co.uk>
> From: Nick FitzGerald <nick () virus-l demon co uk>
> Organization: Personal account
> Subject:      Re: Whats this "repair.hta"
> To: VULN-DEV () SECURITYFOCUS COM
> Status: O
> X-Status:
> X-Keywords:
> X-UID: 28
>
> Mick Pollard once said:
>
> > This is my first post here. Hope someone can shed some light on
> > this for me. I just found this on my windblows box and is not sure
> > what it is \?? Anyone help me identify it ?? It is in my startup
> > folder. Its called "repair.hta"
>
> Unfortunately, the file itself does not necessarily help us know what
> is (or maybe "was") wrong with your setup.  That it is an HTA and
> maybe was in your Startup directory is a good hint.  Many HTAs are
> delivered there via the Scriptlet.TypeLib bug -- an ActiveX control
> that installs itself "safe for scripting" but which happily makes
> files with names and locations as specified by a script.  Microsoft
> only patched this a year ago, and judging from the number of people
> still getting infected with JS/Kak, I'd say not having the patch
> applied is about par for the course...
>
> The MS Security Bulletin on this is at:
>
>    http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
>
>
> > I have included the source code. See attachment.
>
> Well, that allowed people to tell you what compromise you had been
> hit with due to receiving an Email or browsing a web page that
> exploits that hole, but it does not necessarily help in determining
> the actual security flaw in your machine...  We have seen several
> other droppers and drive-trashers delivered in what I suspect is
> the same way.
>
> [BTW, I'm not on this list, so if you want to respond *to me*, Email
> or CC me.]
>
>
> --
> Nick FitzGerald
> Computer Virus Consulting Ltd.
> Ph/FAX: +64 3 3529854
>
> From owner-incidents () SECURITYFOCUS COM  Fri Aug 18 02:28:42 2000
> Return-Path: <owner-incidents () SECURITYFOCUS COM>
> Received: from lists.securityfocus.com (lists.securityfocus.com [