Security Basics mailing list archives

RE: Anonymous LogOff and UDP Out Connections

From: Joey Peloquin <jpelo1 () jcpenney com>
Date: Tue, 09 Sep 2003 10:43:52 -0500

Mark - 

Perhaps you noticed that 61.111.x.x is Korean address space?  Have you
used a web server in that space recently?

Logon Type: 3 are network logon events.  The logon events and
connections to UDP 53 are related, as explained in this list archive:
http://www.netsys.com/firewalls/firewalls-2000-03/msg00126.html

Cheers,

Joey Peloquin  


-----Original Message-----
From: Mark Sargent [mailto:powderkeg () snow email ne jp] 
Sent: Tuesday, September 09, 2003 12:14 AM
To: Security-Basics@Securityfocus. Com
Subject: Anonymous LogOff and UDP Out Connections


Hi All,

When activating the LAN, I notice numerous UDP packet attempts to a
number of different IPs,

61.111.253.229
61.111.93.64
61.111.31.214

on the Host machine. All attempts are from the localhost on port 137 to
owner;stystem on 137. What are thse attempts. Also, I'm seeing numerous
LogOff alerts in Security Event Viewer.

User Logoff:
        User Name:      ANONYMOUS LOGON
        Domain:         NT AUTHORITY
        Logon ID:               (0x0,0xBC852)
        Logon Type:     3

User Logoff:
        User Name:      ANONYMOUS LOGON
        Domain:         NT AUTHORITY
        Logon ID:               (0x0,0xB9BB8)
        Logon Type:     3

User Logoff:
        User Name:      ANONYMOUS LOGON
        Domain:         NT AUTHORITY
        Logon ID:               (0x0,0xB1C26)
        Logon Type:     3

16 in the past 2-3hrs.

I'm also getting a lot of attempts from the Client, 192.168.0.2 to
connect to port localhost on port 53, UDP(there is no owner). What is
all of this..? I'm stealthed according to the security checks here on
this site and grc.com. Any help appreciated. Cheers.

OS = Win2kPro(both Host(192.168.0.1) and Client(192.168.0.2)) Firewall =
Kerio Connection = ISDN


------------------------------------------------------------------------
---
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
------------------------------------------------------------------------
----

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  If the reader of this message is not the intended recipient,
you are hereby notified that your access is unauthorized, and any review,
dissemination, distribution or copying of this message including any
attachments is strictly prohibited.   If you are not the intended
recipient, please contact the sender and delete the material from any
computer.

---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

Current thread:

Anonymous LogOff and UDP Out Connections Mark Sargent (Sep 09)
- RE: Anonymous LogOff and UDP Out Connections Joey Peloquin (Sep 09)
  - RE: Anonymous LogOff and UDP Out Connections Mark Sargent (Sep 09)
- Re: Anonymous LogOff and UDP Out Connections GSimmonds (Sep 10)