Re: Strange open ports on windows machines

["Michael H. Warfield" <mhw () wittsend com>]

On Thu, Oct 21, 1999 at 08:33:43PM +0100, Christoph Schneeberger wrote:
> Hi,

> I'm sorry if this is complete stupid but I can't explain what's going on.

        This is a joke right?  You can't seriously be suggesting that they
are betting the corporate nuckies on what you found.  What was that IP
address...  (chuckle)

> While scanning a customers public corporate website (on request) with nmap
> (2.3BETA6 and 2.02) I found the following open ports:
> Port    State       Protocol  Service
> 21      open        tcp       ftp                     

        Ok...  They got an ftp server...  Wonder if it's configured properly
(on NT, it's almost impossible to "get it right" if anonymous login is
allowed).  Bet it's not considering what else is lurking...

> 25      open        tcp       smtp                    

        Hmmm...  Probably exchange or similar ilk...

> 80      open        tcp       http                    

        And a web server...  Probably IIS.  Time to run a web scanner, holes
gallor!

> 135     open        tcp       loc-srv                 

        Normal NT.  Access should never be allowed to the greater net.
If I can connect to 135, I can own the family jewels in a blink.

> 139     open        tcp       netbios-ssn             

        Normal Windows.  Also should never permit access from the greater net.
There goes your data.  Want to bet they've got the C$ and D$ adminstrative
shares open to being raped?

> 443     open        tcp       https                   

        Secure server (Oooo....  I'm impressed...  Snicker.)

> 465     open        tcp       smtps                   

        Oooo...  Secure smtp...  Now there is an oximoron.

> 1027    open        tcp       unknown                 

        No clue...

> 1030    open        tcp       iad1                    

        BBN IAD?  I don't believe it...  Something not right there.

        The above two COULD be some sort of RPC services...  I'll have to
check with some other experts on them.

> 12345   filtered    tcp       NetBus   

        Hahahahahahaha...  I wonder who owns the pretty boy!  Hacked box.
All bets are off now.

> and udp:
> Port    State       Protocol  Service
> 135     open        udp       loc-srv                 

        Normal NT.  Bad juju if I can get to it.

> 137     open        udp       netbios-ns              

        Normal Windows.  Also should never permit access from the greater net.
Now I can dump your name tables and find your services...  :-)

> 138     open        udp       netbios-dgm             

        Normal Windows.  WINS and stuff...  Should never be permitted to the
greater net.

> 31337   open        udp       BackOrifice  

        Chump, chump, chump, chump...

> Nothing special yet, netbus and bo happen to be on many pc's ;-)
> The server is nt4 sp4 german with IIS 4 installed.

        Bo happens to be on many pc's!  That's screwed, blued, and tattoed.
They are hacked, had, and standing out in an open field nude in a hailstorm!

> I then went with the customer through the following procedures:

> -Connected with telnet to port 12345 of that machine and expected a banner
>       No luck (probably it has IP restrictions, a feature of netbus)

        BO didn't immediately ring the big red bell???????  That system
is major hacked!

> -Checking Registry and Disk for known malicious executables

        BO IS A MALICIOUS EXECUTABLE!  Where have you BEEN!

>       No luck
> -Checking services and running process for unknown things
>       Nothing strange or special (screenshot available)
> -Installing Norman Data Defense AntiVirus with latest definitions
>       Nothing found
> -Removing Norman and installing the latest Norton Antivirus for NT with
> latest definitions
>       Nothing found
> -Running netstat -an on the server in question
>       The two ports 12345 tcp and 31337 udp where not shown, all other listening
> services were shown as expected.
> -installing Back Orificer Friendly from http://www.nfr.net/bof/ on the
> server (I hoped it would complain not being able to listen to 31337 udp)
>       Started and did not complain

        Get rid of BO first!

> -I then connected to the server with 'netcat -u 31337' and typed some
> random chars which should normally trigger bof to pop-up and notify the user
>       Nothing happened, all other ports like i.e. pop3 triggered bof immediately

        And that didn't alarm you?!?!?!?!  Didn't that clue you in that
bof wasn't triggering on data to 21337?  In other words it wasn't listening
on 31337!

> So, am I missing a chapter or does this look like something really strange ? 
> What next steps would one take now ?

        BO installed...  They're toast.

> I really appreciate any help or hint.

        Two questionable.  Two serious compromised sex lives.  The port
1027 and 1030 are curious.  May be nothing serious, may be everything
serious.  The two BO ports are dead serious.  With BO on the system, nothing
can be trusted.  The machine is compromised.

        Even without BO there, with ports 135-139 tcp and udp open to
access you have all the security of a tissue in a hurricane.

> Cheers,
> Christoph Schneeberger
> SCS Telemedia

        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!