Security Incidents mailing list archives
Re: Strange activity to a laptop?
From: Stephen Quigg <Stephen.Quigg () PACONSULTING COM>
Date: Thu, 12 Oct 2000 14:37:32 +0100
That the consultant was misguided enough to connect his laptop to an untrusted (by him) network speaks volumes in itself. Any company worth it's salt, and thus worth employing consultants from, would have a policy in place to bar their employees connecting their equipment to outside networks, and thus risking the integrity/security of his employees company. I cannot imagine they would be delighted by his actions. regards, Stephen Stephen Quigg PA Consulting Group +44 (0)141 241 6445 +44 (0)788 754 0020 DISCLAIMER: This e-mail contains proprietary information some or all of which may be legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail. If you are not the intended recipient you must not use, disclose, distribute, copy, print, or rely on this e-mail. -----Original Message----- From: Jay Random [mailto:scarbaci () YAHOO COM] Sent: 10 October 2000 21:44 To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Strange activity to a laptop?
Hello everyone. (This is about as detailed as I can get without
revealing too much)
We have recently had a laptop from a
consultant come into our
network, no antivirus software, WinNT 4.0 WS,
sp4! Immediately, my firewall security isnt in the network its in the policy.
picks up traffic from the outbound NAT IP on
their network towards this
machine. Traffic looks like the snippit below.
At first I thought it might
be SNMP traffic somehow - but it's not. A
detailed scan of the machine
reveals it was listening on port 1029 (couldn't
find anything open on that
port). I closed and disabled service after
service, until I was only left did you remove the computer from the network?
with NT's necessary functionality - and still
port 1029 was open and
listening. I'm totally at a loss. <snippit
below>
Does ANYONE have any GOOD tools for
WinNT/Win2k to find out what
port is bound to what executable/whatever?!
Secondly, are there programs
that will allow you to effectively 'kill'
services (GUI maybe?) that NT
wouldn't ordinarily allow you to see(if
hidden?). Can someone provide me
with some GOOD tools to start snooping around
this laptop with?! I haven't if you are allowed to snoop around this computer, why arent you allowed to erase the image and start from scratch?
been able to solve this problem - and it's
generating TONS of traffic on our this is a hostile box, your doing more damage to others and yourself trying to "secure" it, then simply removing the cancer (kills its link to your network)
network (inbound) that has to be stopped by our
firewall. have you looked at outbound yet?
I contacted the admin on the other side,
he's clueless so I can't he should be wondering why you're portscanning him.
even get a packet dump of machines sending to
this particular one (since
they're behind a single IP address/NAT).
the packet dump you need is on your own network. This is a trojan horse (not virus, but in the original sense). An untrusted outsider (if he's a consultant that should increase his untrustability) got you to place his (if this isnt his you would of reinstalled it, right?) computer onto your network. It is his computer that is doing a portscan (UDP) of another host (perhaps more internally). if we look at the "source". The UDP packets are comming from numerous port number in near sequencial to your firewall. Now from what you know of a port scan. what would be the advantage of scanning FROM multiple ports TO a few ports? I believe the udp packets you see are in reply to a portscan comming from this nice friendly laptop. Why are udp packets returning on what most likely closed ports? Thats the interesting part. Probably a misconfigured firewall on their side, or maybe they have one with some neeto feature. I suggest sniffing the return traffic and find out if it has some error message. In the future i suggest having a security policy in place (and enforced) when dealing with introducing outside (aka untrusted) equipement into your network. (remember 80% of all successful attacks are from the inside) the following is your dump with the source ports from (142-160 - 19 ports) note that only one packet was sent on each port (non communcation packets aka portscan), also their destination port are all (1202-1204 - 3 ports). BTW if this turns out that this box was introduced by the consultant for non-legal reasons, dont just terminate him, take him to court (civil/criminal) the less scum like him are around the better.
09/22/2000 16:00:11.144 - UDP packet dropped
- Source:63.83.16.70,
142, Destination:63.140.xxx.xxx, 1202 09/22/2000 16:00:11.144 - UDP packet dropped
- Source:63.83.16.70,
143, Destination:63.140.xxx.xxx, 1202 09/22/2000 16:00:11.144 - UDP packet dropped
- Source:63.83.16.70,
144, Destination:63.140.xxx.xxx, 1202 09/22/2000 16:00:11.144 - UDP packet dropped
- Source:63.83.16.70,
145, Destination:63.140.xxx.xxx, 1202 09/22/2000 16:00:11.144 - UDP packet dropped
- Source:63.83.16.70,
146, Destination:63.140.xxx.xxx, 1202 09/22/2000 16:00:11.160 - UDP packet dropped
- Source:63.83.16.70,
147, Destination:63.140.xxx.xxx, 1202
...
09/22/2000 16:00:12.144 - UDP packet dropped
- Source:63.83.16.70,
148, Destination:63.140.xxx.xxx, 1203 09/22/2000 16:00:12.144 - UDP packet dropped
- Source:63.83.16.70,
149, Destination:63.140.xxx.xxx, 1203 09/22/2000 16:00:12.144 - UDP packet dropped
- Source:63.83.16.70,
150, Destination:63.140.xxx.xxx, 1203 09/22/2000 16:00:12.160 - UDP packet dropped
- Source:63.83.16.70,
151, Destination:63.140.xxx.xxx, 1203 09/22/2000 16:00:12.160 - UDP packet dropped
- Source:63.83.16.70,
152, Destination:63.140.xxx.xxx, 1203 09/22/2000 16:00:12.160 - UDP packet dropped
- Source:63.83.16.70,
153, Destination:63.140.xxx.xxx, 1203 09/22/2000 16:00:17.896 - UDP packet dropped
- Source:63.83.16.70,
154, Destination:63.140.xxx.xxx, 1203
...
09/22/2000 16:00:41.256 - UDP packet dropped
- Source:63.83.16.70,
155, Destination:63.140.xxx.xxx, 1204 09/22/2000 16:00:41.256 - UDP packet dropped
- Source:63.83.16.70,
156, Destination:63.140.xxx.xxx, 1204 09/22/2000 16:00:41.256 - UDP packet dropped
- Source:63.83.16.70,
157, Destination:63.140.xxx.xxx, 1204 09/22/2000 16:00:41.256 - UDP packet dropped
- Source:63.83.16.70,
158, Destination:63.140.xxx.xxx, 1204 09/22/2000 16:00:41.256 - UDP packet dropped
- Source:63.83.16.70,
159, Destination:63.140.xxx.xxx, 1204 09/22/2000 16:00:41.256 - UDP packet dropped
- Source:63.83.16.70,
160, Destination:63.140.xxx.xxx, 1204 09/22/2000 16:00:42.240 - Possible Port Scan
...
Ralph M. Los Internet Systems & Security Admin.
(312) 827-3945 (direct)
EnvestNet Advisory Corp.
(312) 296-9003 (wireless)
rlos () envestnet com
Current thread:
- Strange activity to a laptop? LOS Ralph (Oct 05)
- Re: Strange activity to a laptop? Stefan Wagner (Oct 06)
- <Possible follow-ups>
- Re: Strange activity to a laptop? Johnson, Greg (Oct 06)
- Re: Strange activity to a laptop? Lastname, Firstname (Oct 06)
- Re: Strange activity to a laptop? Frank Knobbe (Oct 08)
- Re: Strange activity to a laptop? Jay Random (Oct 11)
- Re: Strange activity to a laptop? Stephen Quigg (Oct 12)