Security Incidents mailing list archives
Re: Hmm....901
From: Jason Falciola <falciola () us ibm com>
Date: Mon, 9 Jun 2003 15:45:34 -0400
[Moderators - I'm cross-posting b/c this message was originally sent to both lists] David Kennedy CISSP wrote:
I can Google as well as anybody and know about Samba-SWAT and
Realsecure's
use of this port. That doesn't explain the increase in probes. Most are 0-byte connects. IP's from here look like home users, some dial-up, some broadbands.
The mystery is what's behind the surge and what it's after.
Dshield shows an increase in traffic destined for this port since 5/22. (One other spike around 4/19). We too have seen an increase in scanning for port 901 across our IDS customers in the same time period. http://isc.incidents.org/port_details.html?port=901 It appears that this activity represents traffic looking for SWAT rather than an attack on RealSecure. I say this b/c of several factors. First, there have been several recent well-publicized and potentially serious remote vulnerabilities in Samba. Second, attackers often perform broad scanning to identify vulnerable hosts before releasing a new worm to "seed" the initial attacks so that they will spread more quickly. Third, there was also some coordinated recon from 209/8 that appeared to be looking for Samba after the recent vulns came out in April. http://marc.theaimsgroup.com/?t=105081475300003&r=1&w=2 One helpful post states the following: "Closer examination of the sources reveal that they are all what look like default installations of Linux (Redhat in particular). We believe this may be a new worm (or scanning tool) to look for/exploit the recent samba vulnerabilities. We think the point of the syn/fin packets are to determine whether the remote host has port 139 open, and whether the host is running windows (with netbios-ssn open), or is a linux machine running samba. Most stateful inspection firewalls will drop these SYN/Fin packets, but they are a clever way to determine the OS of an unfirewalled host. The fact that the source port of these packets is 139 is highly suspicious as well." These two instances of recon may be related. The vulnerabilities in Samba may somehow affect SWAT (unlikely - purely conjecture). Or people may be looking to exploit weak/null passwords on SWAT so they can go in and open up the Samba configuration. Or perhaps they are trying to look for Samba installations in a non-obvious manner (as Ken McKinlay suggested). It may not be a new worm, but could be a precursor to one. This may also just be evidence of coordinated scanning with a similar tool. Can you tell us the source of this activity? Do you have full packet dumps? Thanks! Jason Falciola Information Security Analyst IBM Managed Security Services falciola () us ibm com ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Hmm....901 David Kennedy CISSP (Jun 02)
- Re: Hmm....901 morning_wood (Jun 03)
- Re: Hmm....901 Florin Andrei (Jun 06)
- <Possible follow-ups>
- FW: Hmm....901 Brian Taylor (Jun 03)
- Re: Hmm....901 cvonancken (Jun 03)
- Re: Hmm....901 Curt Wilson (Jun 03)
- Re: Hmm....901 Jason Falciola (Jun 10)