|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: George M. Garner Jr. (gmgarner_at_erols.com)
Date: Fri Jul 19 2002 - 09:20:11 CDT
HC,
Actually, the endpoint map is on tcp 135 on MS Windows boxes. But I
have never tried it through a firewall before, so I don't know. It
might use tcp 139/145 SMB traffic.
Tcp port 1025 is being hosted by the task scheduler on this w2k box.
Running "rpcdump.exe -v -i" I get the following endpoint information:
ProtSeq:ncacn_ip_tcp
Endpoint:1025
NetOpt:
Annotation:
IsListening:YES
StringBinding:ncacn_ip_tcp:192.168.217.200[1025]
UUID:378e52b0-c0a9-11cf-822d-00aa0051e40f
ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT
VersMajor 1 VersMinor 0
ProtSeq:ncacn_ip_tcp
Endpoint:1025
NetOpt:
Annotation:
IsListening:YES
StringBinding:ncacn_ip_tcp:66.44.7.46[1025]
UUID:378e52b0-c0a9-11cf-822d-00aa0051e40f
ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT
VersMajor 1 VersMinor 0
ProtSeq:ncacn_ip_tcp
Endpoint:1025
NetOpt:
Annotation:
IsListening:YES
StringBinding:ncacn_ip_tcp:192.168.217.200[1025]
UUID:1ff70682-0a51-30e8-076d-740be8cee98b
ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT
VersMajor 1 VersMinor 0
ProtSeq:ncacn_ip_tcp
Endpoint:1025
NetOpt:
Annotation:
IsListening:YES
StringBinding:ncacn_ip_tcp:66.44.7.46[1025]
UUID:1ff70682-0a51-30e8-076d-740be8cee98b
ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT
VersMajor 1 VersMinor 0
Perhaps someone is looking for a poorly configured Windows box on which
to schedule a task. :-)
Regards,
George.
-----Original Message-----
From: H C [mailto:keydet89
yahoo.com]
Sent: Thursday, July 18, 2002 10:34 PM
To: George M. Garner Jr.
Subject: Re: TCP 1025 scanning worm?
George,
Will that work in all cases, or only if port 111 is
open?
HC
--- "George M. Garner Jr." <gmgarnererols.com> wrote:
> HC,
>
> Running rpcdump.exe from the resource kit also might
> clear things up. It
> will show what interface is being advertized over
> that port.
>
> Regards,
>
> George.
>
> ----- Original Message -----
> From: "H C" <keydet89yahoo.com>
> To: <incidentssecurityfocus.com>
> Cc: <rdumpriver.com>
> Sent: Thursday, July 18, 2002 2:36 PM
> Subject: re: TCP 1025 scanning worm?
>
>
> > > The sources are all Windows boxes listening on
> TCP
> > port 1025.
> >
> > Not surprising at all. MS has documentation that
> > states that the ports from 1025-1030 are used by
> RPC.
> >
> >
> > Have you checked your own machine w/ fport? I've
> got
> > ports open in that range on my system right now,
> but
> > they're all used by MS processes.
> >
> > > The ramp up in volume from widely separated
> source
> > IPs looks wormy.
> >
> > How so? The log extract you provided doesn't show
> any
> > data...it looks as if the initial SYN packet was
> > denied. This could easily be a port scanner.
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Autos - Get free new car price quotes
> > http://autos.yahoo.com
> >
> >
>
------------------------------------------------------------------------
-- > -- > > This list is provided by the SecurityFocus ARIS > analyzer service. > > For more information on this free incident > handling, management > > and tracking system please see: > http://aris.securityfocus.com > > >__________________________________________________ Do You Yahoo!? Yahoo! Autos - Get free new car price quotes http://autos.yahoo.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]