Security Incidents mailing list archives
RE: TCP 1025 scanning worm?
From: "George M. Garner Jr." <gmgarner () erols com>
Date: Fri, 19 Jul 2002 10:20:11 -0400
HC, Actually, the endpoint map is on tcp 135 on MS Windows boxes. But I have never tried it through a firewall before, so I don't know. It might use tcp 139/145 SMB traffic. Tcp port 1025 is being hosted by the task scheduler on this w2k box. Running "rpcdump.exe -v -i" I get the following endpoint information: ProtSeq:ncacn_ip_tcp Endpoint:1025 NetOpt: Annotation: IsListening:YES StringBinding:ncacn_ip_tcp:192.168.217.200[1025] UUID:378e52b0-c0a9-11cf-822d-00aa0051e40f ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor 0 ProtSeq:ncacn_ip_tcp Endpoint:1025 NetOpt: Annotation: IsListening:YES StringBinding:ncacn_ip_tcp:66.44.7.46[1025] UUID:378e52b0-c0a9-11cf-822d-00aa0051e40f ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor 0 ProtSeq:ncacn_ip_tcp Endpoint:1025 NetOpt: Annotation: IsListening:YES StringBinding:ncacn_ip_tcp:192.168.217.200[1025] UUID:1ff70682-0a51-30e8-076d-740be8cee98b ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor 0 ProtSeq:ncacn_ip_tcp Endpoint:1025 NetOpt: Annotation: IsListening:YES StringBinding:ncacn_ip_tcp:66.44.7.46[1025] UUID:1ff70682-0a51-30e8-076d-740be8cee98b ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor 0 Perhaps someone is looking for a poorly configured Windows box on which to schedule a task. :-) Regards, George. -----Original Message----- From: H C [mailto:keydet89 () yahoo com] Sent: Thursday, July 18, 2002 10:34 PM To: George M. Garner Jr. Subject: Re: TCP 1025 scanning worm? George, Will that work in all cases, or only if port 111 is open? HC --- "George M. Garner Jr." <gmgarner () erols com> wrote:
HC, Running rpcdump.exe from the resource kit also might clear things up. It will show what interface is being advertized over that port. Regards, George. ----- Original Message ----- From: "H C" <keydet89 () yahoo com> To: <incidents () securityfocus com> Cc: <rdump () river com> Sent: Thursday, July 18, 2002 2:36 PM Subject: re: TCP 1025 scanning worm?The sources are all Windows boxes listening onTCPport 1025. Not surprising at all. MS has documentation that states that the ports from 1025-1030 are used byRPC.Have you checked your own machine w/ fport? I'vegotports open in that range on my system right now,butthey're all used by MS processes.The ramp up in volume from widely separatedsourceIPs looks wormy. How so? The log extract you provided doesn't showanydata...it looks as if the initial SYN packet was denied. This could easily be a port scanner. __________________________________________________ Do You Yahoo!? Yahoo! Autos - Get free new car price quotes http://autos.yahoo.com
------------------------------------------------------------------------ --
--This list is provided by the SecurityFocus ARISanalyzer service.For more information on this free incidenthandling, managementand tracking system please see:http://aris.securityfocus.com
__________________________________________________ Do You Yahoo!? Yahoo! Autos - Get free new car price quotes http://autos.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- TCP 1025 scanning worm? Richard Johnson (Jul 17)
- <Possible follow-ups>
- RE: TCP 1025 scanning worm? Rob Keown (Jul 17)
- re: TCP 1025 scanning worm? H C (Jul 18)
- re: TCP 1025 scanning worm? Richard Johnson (Jul 18)
- RE: TCP 1025 scanning worm? George M. Garner Jr. (Jul 19)