Security Incidents mailing list archives

Re: Strange activity to a laptop?

From: Stephen Quigg <Stephen.Quigg () PACONSULTING COM>
Date: Thu, 12 Oct 2000 14:37:32 +0100

That the consultant was misguided enough to connect his laptop to an
untrusted (by him) network speaks volumes in itself.

Any company worth it's salt, and thus worth employing consultants from,
would have a policy in place to bar their employees connecting their
equipment to outside networks, and thus risking the integrity/security of
his employees company. I cannot imagine they would be delighted by his
actions.

regards,
Stephen

Stephen Quigg
PA Consulting Group
+44 (0)141 241 6445
+44 (0)788 754 0020

DISCLAIMER: This e-mail contains proprietary information some or all of
which may be legally privileged.  It is for the intended recipient only.
If an addressing or transmission error has misdirected this e-mail,
please notify the author by replying to this e-mail.  If you are not the
intended recipient you must not use, disclose, distribute, copy, print,
or rely on this e-mail.


-----Original Message-----
From: Jay Random [mailto:scarbaci () YAHOO COM]
Sent: 10 October 2000 21:44
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Strange activity to a laptop?

Hello everyone.

(This is about as detailed as I can get without

revealing too much)


      We have recently had a laptop from a

consultant come into our

network, no antivirus software, WinNT 4.0 WS,

sp4!  Immediately, my firewall

security isnt in the network its in the policy.

picks up traffic from the outbound NAT IP on

their network towards this

machine.  Traffic looks like the snippit below.

 At first I thought it might

be SNMP traffic somehow - but it's not.  A

detailed scan of the machine

reveals it was listening on port 1029 (couldn't

find anything open on that

port).  I closed and disabled service after

service, until I was only left

did you remove the computer from the network?

with NT's necessary functionality - and still

port 1029 was open and

listening.  I'm totally at a loss.  <snippit

below>

      Does ANYONE have any GOOD tools for

WinNT/Win2k to find out what

port is bound to what executable/whatever?!

Secondly, are there programs

that will allow you to effectively 'kill'

services (GUI maybe?) that NT

wouldn't ordinarily allow you to see(if

hidden?).  Can someone provide me

with some GOOD tools to start snooping around

this laptop with?!  I haven't

if you are allowed to snoop around this computer,
why arent you allowed to erase the image and start
from scratch?

been able to solve this problem - and it's

generating TONS of traffic on our

this is a hostile box, your doing more damage to
others and yourself trying to "secure" it, then
simply removing the cancer (kills its link to your
network)

network (inbound) that has to be stopped by our

firewall.

have you looked at outbound yet?


      I contacted the admin on the other side,

he's clueless so I can't

he should be wondering why you're portscanning
him.

even get a packet dump of machines sending to

this particular one (since

they're  behind a single IP address/NAT).


the packet dump you need is on your own network.

This is a trojan horse (not virus, but in the
original sense).  An untrusted outsider (if he's a
consultant that should increase his
untrustability) got you to place his (if
this isnt his you would of reinstalled it,
right?) computer onto your network.  It is his
computer that is doing a portscan (UDP) of another
host (perhaps more internally).

if we look at the "source".  The UDP packets are
comming from numerous port number in
near sequencial to your firewall.  Now from what
you know of a port scan.  what would be the
advantage of scanning FROM multiple ports TO a few
ports?  I believe the udp packets you see are in
reply to a portscan comming from this nice
friendly laptop.  Why are udp packets returning on
what most likely closed ports?  Thats the
interesting part.  Probably a misconfigured
firewall on their side, or maybe they have one
with some neeto feature.  I suggest sniffing the
return traffic and find out if it has some error
message.

In the future i suggest having a security policy
in place (and enforced) when dealing with
introducing outside (aka untrusted) equipement
into your network. (remember 80% of all
successful attacks are from the inside)

the following is your dump with the source ports
from (142-160 - 19 ports) note that only one
packet was sent on each port (non communcation
packets aka portscan), also their destination port
are all (1202-1204 - 3 ports).

BTW if this turns out that this box was introduced
by the consultant for non-legal reasons, dont just
terminate him, take him to court (civil/criminal)
the less scum like him are around the better.

09/22/2000 16:00:11.144 -     UDP packet dropped

-       Source:63.83.16.70,

142,  Destination:63.140.xxx.xxx, 1202
09/22/2000 16:00:11.144 -     UDP packet dropped

-       Source:63.83.16.70,

143,  Destination:63.140.xxx.xxx, 1202
09/22/2000 16:00:11.144 -     UDP packet dropped

-       Source:63.83.16.70,

144,  Destination:63.140.xxx.xxx, 1202
09/22/2000 16:00:11.144 -     UDP packet dropped

-       Source:63.83.16.70,

145,  Destination:63.140.xxx.xxx, 1202
09/22/2000 16:00:11.144 -     UDP packet dropped

-       Source:63.83.16.70,

146,  Destination:63.140.xxx.xxx, 1202
09/22/2000 16:00:11.160 -     UDP packet dropped

-       Source:63.83.16.70,

147,  Destination:63.140.xxx.xxx, 1202

...

09/22/2000 16:00:12.144 -     UDP packet dropped

-       Source:63.83.16.70,

148,  Destination:63.140.xxx.xxx, 1203
09/22/2000 16:00:12.144 -     UDP packet dropped

-       Source:63.83.16.70,

149,  Destination:63.140.xxx.xxx, 1203
09/22/2000 16:00:12.144 -     UDP packet dropped

-       Source:63.83.16.70,

150,  Destination:63.140.xxx.xxx, 1203
09/22/2000 16:00:12.160 -     UDP packet dropped

-       Source:63.83.16.70,

151,  Destination:63.140.xxx.xxx, 1203
09/22/2000 16:00:12.160 -     UDP packet dropped

-       Source:63.83.16.70,

152,  Destination:63.140.xxx.xxx, 1203
09/22/2000 16:00:12.160 -     UDP packet dropped

-       Source:63.83.16.70,

153,  Destination:63.140.xxx.xxx, 1203
09/22/2000 16:00:17.896 -     UDP packet dropped

-       Source:63.83.16.70,

154,  Destination:63.140.xxx.xxx, 1203

...

09/22/2000 16:00:41.256 -     UDP packet dropped

-       Source:63.83.16.70,

155,  Destination:63.140.xxx.xxx, 1204
09/22/2000 16:00:41.256 -     UDP packet dropped

-       Source:63.83.16.70,

156,  Destination:63.140.xxx.xxx, 1204
09/22/2000 16:00:41.256 -     UDP packet dropped

-       Source:63.83.16.70,

157,  Destination:63.140.xxx.xxx, 1204
09/22/2000 16:00:41.256 -     UDP packet dropped

-       Source:63.83.16.70,

158,  Destination:63.140.xxx.xxx, 1204
09/22/2000 16:00:41.256 -     UDP packet dropped

-       Source:63.83.16.70,

159,  Destination:63.140.xxx.xxx, 1204
09/22/2000 16:00:41.256 -     UDP packet dropped

-       Source:63.83.16.70,

160,  Destination:63.140.xxx.xxx, 1204
09/22/2000 16:00:42.240 -     Possible Port Scan

...



Ralph M. Los
Internet Systems & Security Admin.

(312) 827-3945 (direct)

EnvestNet Advisory Corp.

  (312) 296-9003 (wireless)


rlos () envestnet com

Current thread:

Strange activity to a laptop? LOS Ralph (Oct 05)
- Re: Strange activity to a laptop? Stefan Wagner (Oct 06)
- <Possible follow-ups>
- Re: Strange activity to a laptop? Johnson, Greg (Oct 06)
- Re: Strange activity to a laptop? Lastname, Firstname (Oct 06)
- Re: Strange activity to a laptop? Frank Knobbe (Oct 08)
- Re: Strange activity to a laptop? Jay Random (Oct 11)
- Re: Strange activity to a laptop? Stephen Quigg (Oct 12)