|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Jim Harrison (SPG) (jmharr
microsoft.com)Date: Tue Dec 11 2001 - 15:03:36 CST
I wouldn't be too quick to "nuke and pave" just because of some NetBIOS
name queries (UDP port 137). All NT4 machines prefer to use NB
broadcasts and WINS requests, both of which use that protocol/port
combination.
This looks more like an IP misconfiguration on that server, particularly
in the name resolution (DNS / WINS) area.
* Jim Harrison
MCP(NT4, 2K), A+, Network+
Services Platform Group
*(425) 705-7275
-----Original Message-----
From: Seamus Hartmann [mailto:shartmannfujifilmesys.com]
Sent: Tuesday, December 11, 2001 11:48
To: Incidents at Security Focus (incidentssecurityfocus.com)
Subject: Internal Machine making many attempts to connect to Internet on
137
Hello,
This is my first post here, so bear with me.
I'm looking for information about an exploit that starts searching for
Netbios shares across random IP addresses. I have the following Code
Red/Code Red II/Nimbda Policy-Map on my external router since August
17th, and this machine was installed post August 17th.
http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml
This is an internal Windows NT 4.0 machine, patched sp6a and HFNETCHK
states the following
----------------------------
SERVER01
----------------------------
* WINDOWS NT4SERVER SP6a
NOTE MS98-001 Q169556
NOTE MS99-036 Q155197
NOTE MS99-041 Q242294
NOTE MS01-022 Q296441
Patch NOT Found MS01-041 Q299444
Patch NOT Found MS01-048 Q305399
* Internet Information Server 4.0
NOTE MS99-025 Q184375
NOTE MS00-025 Q259799
NOTE MS00-028 Q260267
Patch NOT Found MS01-044 Q301625
* Internet Explorer 5.5 Gold
Patch NOT Found MS00-093 Q279328
Patch NOT Found MS00-055 Q269368
Norton Corporate Antivirus 7.1 running with 12/6/01 virus data. Full
System virus scan comes up clean.
Fport reports the following strangeness.... look at all that stuff
System is listening on!
FPort v1.33 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com
Pid Process Port Proto Path
2 System -> 80 TCP
168 MHSS -> 80 TCP D:\STATISTICSSERVER\MHSS.EXE
95 RpcSs -> 135 TCP C:\WINNT\system32\RpcSs.exe
2 System -> 135 TCP
2 System -> 139 TCP
95 RpcSs -> 1025 TCP C:\WINNT\system32\RpcSs.exe
2 System -> 1025 TCP
102 msdtc -> 1026 TCP C:\WINNT\System32\msdtc.exe
2 System -> 1026 TCP
2 System -> 1027 TCP
102 msdtc -> 1027 TCP C:\WINNT\System32\msdtc.exe
2 System -> 1033 TCP
197 MSTask -> 1033 TCP C:\WINNT\system32\MSTask.exe
197 MSTask -> 1034 TCP C:\WINNT\system32\MSTask.exe
2 System -> 1034 TCP
95 RpcSs -> 1038 TCP C:\WINNT\system32\RpcSs.exe
2 System -> 1038 TCP
2 System -> 1083 TCP
2 System -> 1416 TCP
2 System -> 1709 TCP
2 System -> 1713 TCP
2 System -> 1724 TCP
2 System -> 1725 TCP
2 System -> 1744 TCP
2 System -> 1745 TCP
2 System -> 1747 TCP
2 System -> 1749 TCP
2 System -> 1766 TCP
2 System -> 1786 TCP
2 System -> 1801 TCP
2 System -> 1812 TCP
2 System -> 1915 TCP
2 System -> 1962 TCP
2 System -> 2067 TCP
298 java -> 2067 TCP C:\SITESC~1\java\bin\java.exe
2 System -> 2212 TCP
2 System -> 2233 TCP
2 System -> 2301 TCP
216 Surveyor -> 2301 TCP C:\compaq\survey\Surveyor.EXE
2 System -> 2351 TCP
2 System -> 2570 TCP
2 System -> 2604 TCP
2 System -> 2617 TCP
2 System -> 2654 TCP
2 System -> 3072 TCP
2 System -> 3140 TCP
2 System -> 3145 TCP
2 System -> 3146 TCP
2 System -> 3149 TCP
2 System -> 3152 TCP
2 System -> 3153 TCP
2 System -> 3154 TCP
2 System -> 3155 TCP
2 System -> 3159 TCP
2 System -> 3167 TCP
2 System -> 3200 TCP
2 System -> 3204 TCP
2 System -> 3229 TCP
2 System -> 3232 TCP
2 System -> 3235 TCP
2 System -> 3240 TCP
2 System -> 3244 TCP
2 System -> 3249 TCP
2 System -> 3260 TCP
2 System -> 3271 TCP
2 System -> 3276 TCP
2 System -> 3277 TCP
2 System -> 3301 TCP
2 System -> 3306 TCP
2 System -> 3313 TCP
2 System -> 3320 TCP
2 System -> 3322 TCP
2 System -> 3325 TCP
2 System -> 3328 TCP
2 System -> 3340 TCP
2 System -> 3374 TCP
2 System -> 3441 TCP
2 System -> 3473 TCP
2 System -> 3497 TCP
2 System -> 3498 TCP
2 System -> 3504 TCP
2 System -> 3513 TCP
2 System -> 3526 TCP
2 System -> 3529 TCP
2 System -> 3579 TCP
2 System -> 3610 TCP
2 System -> 3627 TCP
2 System -> 3684 TCP
2 System -> 3739 TCP
2 System -> 3746 TCP
2 System -> 4000 TCP
2 System -> 4052 TCP
2 System -> 4150 TCP
2 System -> 4598 TCP
2 System -> 4859 TCP
2 System -> 4868 TCP
2 System -> 4886 TCP
168 MHSS -> 4886 TCP D:\STATISTICSSERVER\MHSS.EXE
2 System -> 4993 TCP
2 System -> 8888 TCP
298 java -> 8888 TCP C:\SITESC~1\java\bin\java.exe
291 CPQWMGMT -> 49400 TCP
C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
2 System -> 49400 TCP
95 RpcSs -> 135 UDP C:\WINNT\system32\RpcSs.exe
2 System -> 135 UDP
2 System -> 137 UDP
2 System -> 138 UDP
2 System -> 161 UDP
212 snmp -> 161 UDP C:\WINNT\System32\snmp.exe
2 System -> 1035 UDP
212 snmp -> 1035 UDP C:\WINNT\System32\snmp.exe
2 System -> 1036 UDP
212 snmp -> 1036 UDP C:\WINNT\System32\snmp.exe
2 System -> 1750 UDP
417 iexplore -> 1750 UDP
C:\PROGRA~1\Plus!\MICROS~1\iexplore.exe
SFind (another fine Foundstone tool) finds NO streamed files on the
system.
Firewall (Cisco PIX 520 running 6.1.1) holes open to this box are as
follows.
PIX-6.1.1# sh conduit server.ip.address.here
conduit permit icmp host server.ip.address.here any echo-reply
(hitcnt=695) conduit permit icmp host server.ip.address.here any
information-reply
(hitcnt=0)
conduit permit icmp host server.ip.address.here any time-exceeded
(hitcnt=175)
conduit permit tcp host server.ip.address.here eq www any (hitcnt=3649)
conduit permit icmp host server.ip.address.here any (hitcnt=31)
PIX-6.1.1#
IP Auditing turned on at the PIX, and log/drop/reset for attacks.
Edge Router ACL's catching outgoing attempts for Netbios
Syslog logging: enabled (0 messages dropped, 3 messages rate-limited, 0
flushes, 0 overruns)
Console logging: level informational, 20350 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 20365 messages logged
Logging Exception size (8192 bytes)
Trap logging: level informational, 20263 message lines logged
Log Buffer (8192 bytes):
Dec 11 12:45:50: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 205.188.208.168(137), 2 packets Dec 11
12:45:53: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 208.12.66.194(137), 2 packets Dec 11
12:45:57: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 205.188.208.103(137), 2 packets Dec 11
12:46:06: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 205.188.208.169(137), 2 packets Dec 11
12:46:11: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 205.188.208.139(137), 2 packets Dec 11
12:46:20: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 204.146.85.150(137), 2 packets Dec 11
12:46:24: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 63.225.78.198(137), 2 packets Dec 11
12:46:29: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 163.191.134.150(137), 2 packets Dec 11
12:46:42: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 63.96.200.5(137), 2 packets
Dec 11 12:46:47: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 152.163.201.192(137), 2 packets Dec 11
12:46:56: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 152.163.189.65(137), 2 packets Dec 11
12:47:00: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 63.49.226.31(137), 2 packets
Dec 11 12:47:05: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 139.67.9.129(137), 2 packets
Dec 11 12:47:14: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 206.180.109.14(137), 2 packets Dec 11
12:47:18: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 24.214.50.228(137), 2 packets Dec 11
12:47:23: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 205.188.209.166(137), 2 packets Dec 11
12:47:29: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 198.185.205.177(137), 2 packets Dec 11
12:47:32: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 24.49.20.122(137), 2 packets
Dec 11 12:47:35: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 65.202.66.10(137), 2 packets
Dec 11 12:47:41: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 165.89.84.242(137), 2 packets Dec 11
12:47:45: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 172.142.196.127(137), 2 packets Dec 11
12:47:49: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 64.12.105.31(137), 2 packets
Dec 11 12:47:54: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 63.149.92.4(137), 2 packets
Dec 11 12:47:57: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 24.4.252.110(137), 2 packets
Dec 11 12:48:03: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 24.4.252.111(137), 2 packets
Dec 11 12:48:08: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 205.188.199.167(137), 2 packets Dec 11
12:48:12: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 205.188.209.12(137), 2 packets Dec 11
12:48:17: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 63.208.128.70(137), 2 packets Dec 11
12:48:26: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 139.147.230.38(137), 2 packets Dec 11
12:48:30: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 131.124.100.124(137), 2 packets Dec 11
12:48:39: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 12.82.137.160(137), 2 packets Dec 11
12:48:44: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 66.57.73.140(137), 2 packets
Dec 11 12:48:47: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 24.29.27.66(137), 2 packets
Dec 11 12:48:53: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 129.130.5.39(137), 2 packets
Dec 11 12:48:57: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 198.108.17.232(137), 2 packets Dec 11
12:49:10: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 216.132.160.66(137), 2 packets Dec 11
12:49:11: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 24.4.252.249(137), 2 packets
Dec 11 12:49:15: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 207.50.68.2(137), 2 packets
Dec 11 12:49:21: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 207.16.136.22(137), 2 packets Dec 11
12:49:24: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 208.242.197.6(137), 2 packets Dec 11
12:49:27: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 141.153.178.100(137), 2 packets Dec 11
12:49:33: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 209.130.138.227(137), 5 packets Dec 11
12:49:35: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 64.12.96.8(137), 2 packets
Dec 11 12:49:38: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 64.12.96.10(137), 2 packets
Dec 11 12:49:47: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 24.4.255.93(137), 2 packets
Dec 11 12:49:51: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 24.4.255.92(137), 2 packets
Dec 11 12:49:57: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 216.230.74.226(137), 2 packets Dec 11
12:50:00: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 168.26.223.33(137), 2 packets Dec 11
12:50:07: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 167.1.102.100(137), 2 packets
Edge-CiscoRouter#
Anyone seen this behavior before? Any suggestions? I am going to flush
and fill, but I'd like to learn something from the issue, rather than
just have it be an exercise in the format command!
Thanks.
Seamus Hartmann
Senior Network Engineer
Fuji Film eSystems
------------------------------------------------------------------------
---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]