Re: Hmm....901

[Jason Falciola <falciola () us ibm com>]

[Moderators - I'm cross-posting b/c this message was originally sent to
both lists]

David Kennedy CISSP wrote:
> I can Google as well as anybody and know about Samba-SWAT and
Realsecure's
> use of this port.  That doesn't explain the increase in probes.  Most are
> 0-byte connects.  IP's from here look like home users, some dial-up, some
> broadbands.

> The mystery is what's behind the surge and what it's after.

Dshield shows an increase in traffic destined for this port since 5/22.
(One other spike around 4/19).  We too have seen an increase in scanning
for port 901 across our IDS customers in the same time period.

http://isc.incidents.org/port_details.html?port=901

It appears that this activity represents traffic looking for SWAT rather
than an attack on RealSecure.  I say this b/c of several factors.  First,
there have been several recent well-publicized and potentially serious
remote vulnerabilities in Samba.  Second, attackers often perform broad
scanning to identify vulnerable hosts before releasing a new worm to "seed"
the initial attacks so that they will spread more quickly.  Third, there
was also some coordinated recon from 209/8 that appeared to be looking for
Samba after the recent vulns came out in April.

http://marc.theaimsgroup.com/?t=105081475300003&r=1&w=2

One helpful post states the following:

"Closer examination of the sources reveal that they are all what look like
default installations of Linux (Redhat in particular).  We believe this may
be a new worm (or scanning tool) to look for/exploit the recent samba
vulnerabilities.  We think the point of the syn/fin packets are to
determine whether the remote host has port 139 open, and whether the host
is running windows (with netbios-ssn open), or is a linux machine running
samba.  Most stateful inspection firewalls will drop these SYN/Fin packets,
but they are a clever way to determine the OS of an unfirewalled host.  The
fact that the source port of these packets is 139 is highly suspicious as
well."

These two instances of recon may be related.  The vulnerabilities in Samba
may somehow affect SWAT (unlikely - purely conjecture).  Or people may be
looking to exploit weak/null passwords on SWAT so they can go in and open
up the Samba configuration.  Or perhaps they are trying to look for Samba
installations in a non-obvious manner (as Ken McKinlay suggested).

It may not be a new worm, but could be a precursor to one.  This may also
just be evidence of coordinated scanning with a similar tool.

Can you tell us the source of this activity?  Do you have full packet
dumps?

Thanks!

Jason Falciola
Information Security Analyst
IBM Managed Security Services
falciola () us ibm com


----------------------------------------------------------------------------
----------------------------------------------------------------------------