Hello,
Over the last few days I've seen a number of hosts attempt to initiate TCP
connections to the following ports in sequence.
80
139
445
6129
3127
1025
135
2745
...repeat.
At this moment I haven't seen a correlation between this activity and the
port exploitation list on CERT. Any insight would be appreciated, thank
you.
Regards,
Christopher J. Wolff, VP CIO
Broadband Laboratories, Inc.
http://www.bblabs.com
There's a number of viruses/worms in the wild that are programmed to exploit various M$ vulnerabilities:
80 - IIS WebDAV (MS03-007)and any number of other IIS vulnerabilities
135 - DCOM RPC (MS03-026)
445 - RPC locator (MS03-001) and Workstation service (MS03-049)
139 - Unpassworded NetBIOS shares
I'm not sure about the other ports, I *think* 1025 has something to do with MS RPC as well, but don't quote me on that.
What you are probably seeing, at least in the cases involving the ports I listed above, is one of the many W32.Gaobot (Symantec)[1] variants.
-J
[1] http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.htm
On 04/4/10 at 1:53 PM -0400, Jeff Workman wrote the following :
File Not Found... 'l' missing from end of 'htm'.
On Sat, Apr 10, 2004 at 11:19:19AM -0700, Darrell Greenwood said at one point in time:
On 04/4/10 at 1:53 PM -0400, Jeff Workman wrote the following :
File Not Found... 'l' missing from end of 'htm'.
this is correct. my organization has been infected with this
and it is a particular nasty little bugger. we may have been
'patient 0' in terms of sending copies of the virus to symantec
so they could write signatures for it. infected hosts flood
the network with a tremendous amount of data and port opening.
i at least manged to quarantine off all my vpn devices which
seemed to be the entry point.
-r
Agobot scanning...
Take a look at these links:
http://isc.sans.org/diary.php?date=2004-04-05
http://isc.sans.org/diary.php?date=2004-04-01
http://isc.sans.org/diary.php?date=2004-04-09
Also, take a read through the "New Worm???" thread at:
http://www.dshield.org/pipermail/intrusions/2004-April/thread.php
-Jack
Thank you for the input. The 'unique' feature of this infestation is that
affected hosts don't transmit a lot of data...however they do open up
thousands of flows in a very short time. Perhaps that's not unique but it
certainly is annoying.
Regards,
Christopher J. Wolff, VP CIO
Broadband Laboratories, Inc.
http://www.bblabs.com
hmm, honestly i can't vouch for the data rate personally.
a co-worker said the counters on the VPN connections were
grossly disproportionate for a short time sample.
bottom line, it is indeed annoying. i know my server
and desktop groups have been having a hell of a time
disinfecting hosts. i know part of this was that
symantec, at the time, said it may be a polymorphic
strain.
-r
On Sat, Apr 10, 2004 at 11:37:15AM -0700, Christopher J. Wolff said at one point in time:
Ravi,
One of the responses to this thread mentioned a 3COM switch. One of the
infected sites has a 3COM superstack 1100. I'm not a 3COM fan but these
switches have been up for years, literally. All it takes to make this
switch reboot is a flow from one infected host. I'm going to try to move
the web interface port away from 80. Thank you.
Regards,
Christopher J. Wolff, VP CIO
Broadband Laboratories, Inc.
http://www.bblabs.com