Security Incidents mailing list archives

RE: TCP port 139 probes

From: Pavel Kankovsky <peak () argo troja mff cuni cz>
Date: Wed, 10 Jul 2002 11:18:23 +0200 (MET DST)

On Wed, 10 Jul 2002, Dan Irwin wrote:

At least one of these machines appeared to be insecure and i could
enumerate shares etc with smbclient -L.


Bingo. I looked at some of the source addresses and saw windows
9x machines with publicly accesible shares (I could access them using 
an empty username and password). In two or three cases, I checked whether
the share was writable and it was. Having done a superficial examination
of system directories on those machines (they had a publicly accesible
share, ergo I was invited, wasn't I? <g>) I found some wierd files on one
of those machines:

  winhlp32.exe                        A   317440  Fri Jul  5 15:43:08 2002
  notepad.exe                         A   317440  Fri Jul  5 15:43:08 2002
  control.exe                         A   317440  Fri Jul  5 15:43:08 2002
  scanregw.exe                        A   317440  Fri Jul  5 15:43:08 2002
  ifnhlp.sys                          A   317440  Tue Jul  9 22:20:00 2002
  scanregw.exe                        A   317440  Fri Jul  5 15:43:40 2002
  loadpe.com                          A   317440  Fri Jul  5 15:43:40 2002
  msiexec.exe                         A   317440  Fri Jul  5 15:43:08 2002
  wf2k.exe                            A   317440  Fri Jul  5 15:43:40 2002

I downloaded 3 of them and they all seem to be compressed executables
having a common prefix, and there are some fragments of strings ("rom",
"y smt", ") with", "ESM", "Mime-", "-Typ", "quit" etc) in that common
prefix suggesting there is some SMTP implementation there--presumably
some kind of malware able to spread via email.

But I did not find anything similar on other machines I examined.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

TCP port 139 probes Pavel Kankovsky (Jul 09)
- Re: TCP port 139 probes H C (Jul 09)
- <Possible follow-ups>
- RE: TCP port 139 probes Dan Irwin (Jul 09)
  - RE: TCP port 139 probes Pavel Kankovsky (Jul 10)
    - RE: TCP port 139 probes Brenna Primrose (Jul 10)
    - RE: TCP port 139 probes H C (Jul 10)
    - RE: TCP port 139 probes Ryan Russell (Jul 12)