Security Incidents mailing list archives

RE: TCP 1025 scanning worm?

From: "George M. Garner Jr." <gmgarner () erols com>
Date: Fri, 19 Jul 2002 10:20:11 -0400

HC,

Actually, the endpoint map is on tcp 135 on MS Windows boxes.  But I
have never tried it through a firewall before, so I don't know.  It
might use tcp 139/145 SMB traffic.

Tcp port 1025 is being hosted by the task scheduler on this w2k box.
Running "rpcdump.exe -v -i" I get the following endpoint information:

ProtSeq:ncacn_ip_tcp
Endpoint:1025
NetOpt:
Annotation:
IsListening:YES
StringBinding:ncacn_ip_tcp:192.168.217.200[1025]
UUID:378e52b0-c0a9-11cf-822d-00aa0051e40f
ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT
VersMajor 1  VersMinor 0

ProtSeq:ncacn_ip_tcp
Endpoint:1025
NetOpt:
Annotation:
IsListening:YES
StringBinding:ncacn_ip_tcp:66.44.7.46[1025]
UUID:378e52b0-c0a9-11cf-822d-00aa0051e40f
ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT
VersMajor 1  VersMinor 0

ProtSeq:ncacn_ip_tcp
Endpoint:1025
NetOpt:
Annotation:
IsListening:YES
StringBinding:ncacn_ip_tcp:192.168.217.200[1025]
UUID:1ff70682-0a51-30e8-076d-740be8cee98b
ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT
VersMajor 1  VersMinor 0

ProtSeq:ncacn_ip_tcp
Endpoint:1025
NetOpt:
Annotation:
IsListening:YES
StringBinding:ncacn_ip_tcp:66.44.7.46[1025]
UUID:1ff70682-0a51-30e8-076d-740be8cee98b
ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT
VersMajor 1  VersMinor 0

Perhaps someone is looking for a poorly configured Windows box on which
to schedule a task.  :-)

Regards,

George. 

-----Original Message-----
From: H C [mailto:keydet89 () yahoo com] 
Sent: Thursday, July 18, 2002 10:34 PM
To: George M. Garner Jr.
Subject: Re: TCP 1025 scanning worm?

George,

Will that work in all cases, or only if port 111 is
open?

HC


--- "George M. Garner Jr." <gmgarner () erols com> wrote:

HC,

Running rpcdump.exe from the resource kit also might
clear things up.  It
will show what interface is being advertized over
that port.

Regards,

George.

----- Original Message -----
From: "H C" <keydet89 () yahoo com>
To: <incidents () securityfocus com>
Cc: <rdump () river com>
Sent: Thursday, July 18, 2002 2:36 PM
Subject: re: TCP 1025 scanning worm?

The sources are all Windows boxes listening on

TCP

port 1025.

Not surprising at all.  MS has documentation that
states that the ports from 1025-1030 are used by

RPC.



Have you checked your own machine w/ fport?  I've

got

ports open in that range on my system right now,

but

they're all used by MS processes.

The ramp up in volume from widely separated

source

IPs looks wormy.

How so?  The log extract you provided doesn't show

any

data...it looks as if the initial SYN packet was
denied.  This could easily be a port scanner.


__________________________________________________
Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes
http://autos.yahoo.com

------------------------------------------------------------------------
--

--

This list is provided by the SecurityFocus ARIS

analyzer service.

For more information on this free incident

handling, management

and tracking system please see:

http://aris.securityfocus.com



__________________________________________________
Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes
http://autos.yahoo.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

TCP 1025 scanning worm? Richard Johnson (Jul 17)
- <Possible follow-ups>
- RE: TCP 1025 scanning worm? Rob Keown (Jul 17)
- re: TCP 1025 scanning worm? H C (Jul 18)
  - re: TCP 1025 scanning worm? Richard Johnson (Jul 18)
- RE: TCP 1025 scanning worm? George M. Garner Jr. (Jul 19)