Re: Unidentified Trojan?

[EPerrin () METROLAND COM (Elliot Perrin)]

I checked RFC 1700 and it says that port 542 is unassigned, however
my FreeBSD box /etc/services file says that port 542 is used for
ncp, which i have not seen before and am unfamiliar with.

Anyone know what ncp is, all I could find related to ncp as an acronymn was
network control protocol which was on a page related to PPP.

> -----Original Message-----
> From: Richard Ginski [mailto:rginski () CO PINELLAS FL US]
> Sent: May 18, 2000 11:55 AM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Unidentified Trojan?
>
>
> We have been monitoring some strange activity regarding a
> possible trojan on some of our systems. Unfortunately, this
> explanation has to be long, in order to paint the whole picture:
>
> 1) We first noticed that there was a problem when we noticed
> that two of our INTERNAL DNS servers appeared to be affected
> by DNS cache poisoning. It was stumbled on accidentally when
> someone entered a typo in a URL (ommitting a ":" when
> specifying a port number to one of our intranet sites) and
> was re-directed to a porn site: 216.65.124.73
> (internalmachine.domain&portnumber). We figured it was cache
> poisoning because I could not fathom that the DNS servers
> would "learn" a host address for which there are no root servers for.
>
> 2) I checked our firewall logs as to who may have also
> (involuntarily) been connecting to this IP address
> (216.65.124.73) and found over 25 machines trying to connect
> to this site using different port numbers (not HTTP). First,
> the machines used ping (we don't allow outbound ping), then
> used various ports. Finally, the machines just tried to
> connect to this site using CIFS.
>
> It appears that once the machines are turned on, the "trojan"
> activity would begin. We tried to narrow down what could be
> causing this (activity went on for two days) then the
> activity ceased. Anti-virus software has always been
> installed on these machines (Inoculan) and we manually
> scanned one of the machines just to make sure the real time
> scanner did not miss anything. Nothing was found. The dates
> for which this occurred were 4/26 and 4/27. During those two
> days were able to restart/login to these machines and watch
> the activity a sniffer as we tried to determine the culprit.
>
> 3) We felt we had taken a number of precautions to prevent
> any further damage, including, notification when any more
> attempts were made to connect to the IP address 216.65.124.73.
>
> 4) Well, it started happening again on Tuesday of this week
> (5/16) and continued till yesterday (5/17). It appears that
> now the "destination port of choice" is TCP port 524 to the
> same IP address, for which I can not identify for any type of
> service. Approximately, 25 machines (different machines than
> the machines before, on different network segments)  were
> affected. Unlike before, we could not reboot/login to these
> machines and cause them to make additional connection
> attempts which seemed to stimulate the activity before.
>
> 5) Today (5/18), no connect attempts were made to
> 216.65.124.73. However, doing a search on destination port
> 524 revealed that machines are now trying to connect to some
> of our HTTP servers in our DMZ.
>
> All of the machines affected are Windows based (95/98 and NT).
>
> To the best of our knowledge, all attempts to connect to this
> outside address have failed due to our firewall.
>
> Has anyone had any experience with this behavior? Can anyone
> identify TCP port 524?
>
> Any input would be greatly appreciated!