Re: Strange activity to a laptop?

[Jay Random <scarbaci () YAHOO COM>]

> Hello everyone.
>
> (This is about as detailed as I can get without 
revealing too much)
>       We have recently had a laptop from a 
consultant come into our
> network, no antivirus software, WinNT 4.0 WS, 
sp4!  Immediately, my firewall

security isnt in the network its in the policy.

> picks up traffic from the outbound NAT IP on 
their network towards this
> machine.  Traffic looks like the snippit below. 
 At first I thought it might
> be SNMP traffic somehow - but it's not.  A 
detailed scan of the machine
> reveals it was listening on port 1029 (couldn't 
find anything open on that
> port).  I closed and disabled service after 
service, until I was only left

did you remove the computer from the network?

> with NT's necessary functionality - and still 
port 1029 was open and
> listening.  I'm totally at a loss.  <snippit 
below>
>       Does ANYONE have any GOOD tools for 
WinNT/Win2k to find out what
> port is bound to what executable/whatever?!  
Secondly, are there programs
> that will allow you to effectively 'kill' 
services (GUI maybe?) that NT
> wouldn't ordinarily allow you to see(if 
hidden?).  Can someone provide me
> with some GOOD tools to start snooping around 
this laptop with?!  I haven't

if you are allowed to snoop around this computer, 
why arent you allowed to erase the image and start 
from scratch?

> been able to solve this problem - and it's 
generating TONS of traffic on our

this is a hostile box, your doing more damage to 
others and yourself trying to "secure" it, then 
simply removing the cancer (kills its link to your 
network)

> network (inbound) that has to be stopped by our 
firewall.

have you looked at outbound yet?

>       I contacted the admin on the other side, 
he's clueless so I can't

he should be wondering why you're portscanning 
him.

> even get a packet dump of machines sending to 
this particular one (since
> they're  behind a single IP address/NAT).

the packet dump you need is on your own network.

This is a trojan horse (not virus, but in the 
original sense).  An untrusted outsider (if he's a 
consultant that should increase his 
untrustability) got you to place his (if 
this isnt his you would of reinstalled it, 
right?) computer onto your network.  It is his 
computer that is doing a portscan (UDP) of another 
host (perhaps more internally).

if we look at the "source".  The UDP packets are 
comming from numerous port number in 
near sequencial to your firewall.  Now from what 
you know of a port scan.  what would be the 
advantage of scanning FROM multiple ports TO a few 
ports?  I believe the udp packets you see are in 
reply to a portscan comming from this nice 
friendly laptop.  Why are udp packets returning on 
what most likely closed ports?  Thats the 
interesting part.  Probably a misconfigured 
firewall on their side, or maybe they have one 
with some neeto feature.  I suggest sniffing the 
return traffic and find out if it has some error 
message.

In the future i suggest having a security policy 
in place (and enforced) when dealing with 
introducing outside (aka untrusted) equipement 
into your network. (remember 80% of all 
successful attacks are from the inside)

the following is your dump with the source ports 
from (142-160 - 19 ports) note that only one 
packet was sent on each port (non communcation 
packets aka portscan), also their destination port 
are all (1202-1204 - 3 ports).

BTW if this turns out that this box was introduced 
by the consultant for non-legal reasons, dont just 
terminate him, take him to court (civil/criminal) 
the less scum like him are around the better.

> 09/22/2000 16:00:11.144 -     UDP packet dropped 
-       Source:63.83.16.70,
> 142,  Destination:63.140.xxx.xxx, 1202
> 09/22/2000 16:00:11.144 -     UDP packet dropped 
-       Source:63.83.16.70,
> 143,  Destination:63.140.xxx.xxx, 1202
> 09/22/2000 16:00:11.144 -     UDP packet dropped 
-       Source:63.83.16.70,
> 144,  Destination:63.140.xxx.xxx, 1202
> 09/22/2000 16:00:11.144 -     UDP packet dropped 
-       Source:63.83.16.70,
> 145,  Destination:63.140.xxx.xxx, 1202
> 09/22/2000 16:00:11.144 -     UDP packet dropped 
-       Source:63.83.16.70,
> 146,  Destination:63.140.xxx.xxx, 1202
> 09/22/2000 16:00:11.160 -     UDP packet dropped 
-       Source:63.83.16.70,
> 147,  Destination:63.140.xxx.xxx, 1202
...
> 09/22/2000 16:00:12.144 -     UDP packet dropped 
-       Source:63.83.16.70,
> 148,  Destination:63.140.xxx.xxx, 1203
> 09/22/2000 16:00:12.144 -     UDP packet dropped 
-       Source:63.83.16.70,
> 149,  Destination:63.140.xxx.xxx, 1203
> 09/22/2000 16:00:12.144 -     UDP packet dropped 
-       Source:63.83.16.70,
> 150,  Destination:63.140.xxx.xxx, 1203
> 09/22/2000 16:00:12.160 -     UDP packet dropped 
-       Source:63.83.16.70,
> 151,  Destination:63.140.xxx.xxx, 1203
> 09/22/2000 16:00:12.160 -     UDP packet dropped 
-       Source:63.83.16.70,
> 152,  Destination:63.140.xxx.xxx, 1203
> 09/22/2000 16:00:12.160 -     UDP packet dropped 
-       Source:63.83.16.70,
> 153,  Destination:63.140.xxx.xxx, 1203
> 09/22/2000 16:00:17.896 -     UDP packet dropped 
-       Source:63.83.16.70,
> 154,  Destination:63.140.xxx.xxx, 1203
...
> 09/22/2000 16:00:41.256 -     UDP packet dropped 
-       Source:63.83.16.70,
> 155,  Destination:63.140.xxx.xxx, 1204
> 09/22/2000 16:00:41.256 -     UDP packet dropped 
-       Source:63.83.16.70,
> 156,  Destination:63.140.xxx.xxx, 1204
> 09/22/2000 16:00:41.256 -     UDP packet dropped 
-       Source:63.83.16.70,
> 157,  Destination:63.140.xxx.xxx, 1204
> 09/22/2000 16:00:41.256 -     UDP packet dropped 
-       Source:63.83.16.70,
> 158,  Destination:63.140.xxx.xxx, 1204
> 09/22/2000 16:00:41.256 -     UDP packet dropped 
-       Source:63.83.16.70,
> 159,  Destination:63.140.xxx.xxx, 1204
> 09/22/2000 16:00:41.256 -     UDP packet dropped 
-       Source:63.83.16.70,
> 160,  Destination:63.140.xxx.xxx, 1204
> 09/22/2000 16:00:42.240 -     Possible Port Scan 
...
> Ralph M. Los
> Internet Systems & Security Admin.          
(312) 827-3945 (direct)
> EnvestNet Advisory Corp.                        
  (312) 296-9003 (wireless)
> rlos () envestnet com