Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Cable modem hosts being exploited to spam. TCP ports 224, 253

From: ahigbee () VA RR COM (Aaron Higbee)
Date: Fri, 7 Jan 2000 17:09:39 -0500

Hello all-

The question is: Does anyone know anything about ports 224 and 253 (TCP)
and how could they be used for spamming. I have telneted to the ports and
tried to get some feedback. Nothing. Any ideas?

--Aaron

History:

tower.earthlink.net spammer (being referred to tower.earthlink.net spammer
because that is the one common forgery in all the spams) is somehow
connecting to cable modem hosts to send spam to AOL members. Here is a list
of IP's that have been reported to us that have been victimized by this
spammer.

The only theory I have is that because these hosts have wide open file
print sharing that they are given a program that opens up the ports. In
working with infected members (people with wide open File sharing tend to
be hard to work with when trouble shooting this)  We have not been able to
find any odd programs running. (Nor have we had success closing ports 224,
253) The format is Date, RR-Region, IP address, Wide open file/print
sharing (Y/N) - open ports.

11/18/99 TW - Midsouth  24.95.102.x     Y - 139, 224, 253, 7323
11/20/99 TW - Midsouth  24.92.76.x      Y - 139, 224, 253, 7323
11/21/99 TW - Midsouth  24.92.76.x      Y - 139, 224, 253, 7323
12/6/99   TW - Midsouth 24.95.102.x     Y - 224, 253, 1503, 1720, 2292, 7323
12/9/99   TW - Tampa Bay        24.92.20.x      Y - 21, 80, 139, 224, 253
12/9/99   TW - Tampa Bay        24.92.30.x      Y - 139, 224, 253, 1080, 7000, 8000
12/9/99   TW - Tampa Bay        24.92.180.x     Y - 139, 224, 253
12/9/99   TW - Midsouth 24.95.103.x     Y - 139, 224, 253
12/9/99   TW - Midsouth 24.92.75.x      Y - 139, 224, 253
12/9/99   TW - Central NY        24.24.4.x      Y - 25, 139, 224, 253
12/12/99 TW - Tampa Bay 24.92.31.x      Y - 80, 139, 224, 253, 5631
12/12/99 TW - Tampa Bay 24.92.20.x      Y - 21, 80, 139, 224, 253
12/13/99 TW - Tampa Bay 24.92.31.x      Y - 80, 139, 224, 253, 5631
12/15/99 TW - Tampa Bay 24.92.180.x     Y - 139, 224, 253
12/16/99 TW - Tampa Bay 24.92.31.x      Y - 80, 139, 224, 253, 5631
12/16/99 TW - Tampa Bay 24.92.30.x      Y - 139, 253, 1080
12/19/99 TW - Tampa Bay 24.92.30.x      Y - 139, 224, 253, 1080
12/21/99 TW - Midsouth  24.95.103.x     Y - 139, 224, 253
12/30/99 TW - Midsouth  24.92.75.x      Y - 139, 224, 253

1/7/00      TW - Tampa Bay      *24.92.20.162*  Y - 80, 139, 224, 253
**not munged for any testing a reader of this list may want to do.

This is not just happening to Road Runner either:
I grabbed the IP (209.51.163.221) out of this deja post about the same spammer:
http://x32.deja.com/getdoc.xp?AN=565959998.1&CONTEXT=947280562.325582883&hit
num=2

Sure enough:
/root]# nmap -sT -p220-260 209.51.163.221
Interesting ports on digital.trancenet.com (209.51.163.221):
Port    State       Protocol  Service
224     open        tcp       unknown
253     open        tcp       unknown

The below is a netstat -a from one of the "compromised" box's during a live
spamming. Infected members have been sent current virus scanners and
MooSofts Trojan cleaner. Nothing was found. You'll notice a TCP connection
on 224 from a nwlink.com DSL ip. (we do not want any action taken on this
IP until we can find out exactly what he is doing so that we may
potentially pursue criminal prosecution of this spammer if he is indeed
breaking into systems)

TCP socorro:1944 rly-za03.mx.aol.com:smtp ESTABLISHED
TCP socorro:1945 rly-za03.mx.aol.com:smtp ESTABLISHED
TCP socorro:1946 rly-za03.mx.aol.com:smtp ESTABLISHED
TCP socorro:1947 rly-za03.mx.aol.com:smtp ESTABLISHED
TCP socorro:1948 rly-za03.mx.aol.com:smtp ESTABLISHED
TCP socorro:1949 rly-za03.mx.aol.com:smtp ESTABLISHED
TCP socorro:1950 rly-za03.mx.aol.com:smtp ESTABLISHED
TCP socorro:1951 rly-za03.mx.aol.com:smtp ESTABLISHED
TCP socorro:1952 rly-za03.mx.aol.com:smtp ESTABLISHED
TCP socorro:1953 rly-za03.mx.aol.com:smtp ESTABLISHED
TCP socorro:224 xxx.xxxx.xxx.bel.nwlink.com:1569 ESTABLISHED

Working with another infected member showed the same nwlink.com IP address
in a netstat. A router filter was put up to log connections from that IP.
Here is a snip of the captured logs showing the nwlink IP connecting to
port 224: (2 pings as well)

75xx.log:Dec 23 12:27:56 [24.92.1.251.10.133] 172: Dec 23 17:27:55 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1875) ->
24.92.180.101(224), 1 packet
75xx.log:Dec 23 12:27:58 [24.92.1.251.10.133] 173: Dec 23 17:27:57 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1876) ->
24.92.30.182(224), 1 packet
75xx.log:Dec 23 12:33:25 [24.92.1.251.10.133] 174: Dec 23 17:33:23 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1876) ->
24.92.30.182(224), 2 packets
75xx.log:Dec 23 12:54:28 [24.92.1.251.10.133] 175: Dec 23 17:54:27 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(2902) ->
24.129.14.3(80), 1 packet
75xx.log:Dec 23 12:54:37 [24.92.1.251.10.133] 176: Dec 23 17:54:36 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(2925) ->
24.129.14.3(80), 1 packet
75xx.log:Dec 26 18:37:30 [24.92.1.251.10.133] 177: Dec 26 23:37:29 UTC:
%SEC-6-IPACCESSLOGDP: list 103 permitted icmp 209.20.176.xxx ->
24.92.30.182 (0/0), 1 packet
75xx.log:Dec 26 18:43:05 [24.92.1.251.10.133] 178: Dec 26 23:43:04 UTC:
%SEC-6-IPACCESSLOGDP: list 103 permitted icmp 209.20.176.xxx ->
24.92.30.182 (0/0), 3 packets
75xx.log:Dec 27 05:41:44 [24.92.1.251.10.133] 179: Dec 27 10:41:43 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1416) ->
24.92.10.134(224), 1 packet
75xx.log:Dec 27 05:41:46 [24.92.1.251.10.133] 180: Dec 27 10:41:45 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1418) ->
24.92.180.107(224), 1 packet
75xx.log:Dec 27 05:45:38 [24.92.1.251.10.133] 181: Dec 27 10:45:37 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1439) ->
24.92.10.134(224), 1 packet
75xx.log:Dec 27 05:45:40 [24.92.1.251.10.133] 182: Dec 27 10:45:39 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1440) ->
24.92.10.28(224), 1 packet
75xx.log:Dec 27 05:45:42 [24.92.1.251.10.133] 183: Dec 27 10:45:41 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1442) ->
24.92.20.162(224), 1 packet
75xx.log:Dec 27 05:47:25 [24.92.1.251.10.133] 184: Dec 27 10:47:24 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1416) ->
24.92.10.134(224), 3 packets
75xx.log:Dec 27 05:48:04 [24.92.1.251.10.133] 185: Dec 27 10:48:03 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1455) ->
24.92.180.107(224), 1 packet
75xx.log:Dec 27 05:49:43 [24.92.1.251.10.133] 186: Dec 27 10:49:42 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1460) ->
24.92.180.107(224), 1 packet
75xx.log:Dec 27 05:49:44 [24.92.1.251.10.133] 187: Dec 27 10:49:43 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1461) ->
24.92.20.162(224), 1 packet
75xx.log:Dec 27 05:50:44 [24.92.1.251.10.133] 188: Dec 27 10:50:42 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1474) ->
24.92.180.107(224), 1 packet
75xx.log:Dec 27 05:50:45 [24.92.1.251.10.133] 189: Dec 27 10:50:44 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1475) ->
24.92.20.162(224), 1 packet
75xx.log:Dec 27 05:51:25 [24.92.1.251.10.133] 190: Dec 27 10:51:24 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1439) ->
24.92.10.134(224), 3 packets
75xx.log:Dec 27 06:02:01 [24.92.1.251.10.133] 191: Dec 27 11:02:00 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1489) ->
24.92.180.107(224), 1 packet
75xx.log:Dec 27 06:03:34 [24.92.1.251.10.133] 192: Dec 27 11:03:33 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1503) ->
24.92.180.107(224), 1 packet
75xx.log:Dec 27 06:05:01 [24.92.1.251.10.133] 193: Dec 27 11:05:00 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1517) ->
24.92.180.107(224), 1 packet
75xx.log:Dec 27 06:05:02 [24.92.1.251.10.133] 194: Dec 27 11:05:01 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1518) ->
24.92.20.162(224), 1 packet
75xx.log:Dec 27 06:06:04 [24.92.1.251.10.133] 195: Dec 27 11:06:03 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1530) ->
24.92.180.107(224), 1 packet
75xx.log:Dec 27 06:06:06 [24.92.1.251.10.133] 196: Dec 27 11:06:05 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1531) ->
24.92.20.162(224), 1 packet
75xx.log:Dec 27 06:07:11 [24.92.1.251.10.133] 197: Dec 27 11:07:10 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1543) ->
24.92.180.107(224), 1 packet
75xx.log:Dec 27 06:07:12 [24.92.1.251.10.133] 198: Dec 27 11:07:11 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1544) ->
24.92.20.162(224), 1 packet
75xx.log:Dec 27 06:08:47 [24.92.1.251.10.133] 199: Dec 27 11:08:46 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1556) ->
24.92.180.107(224), 1 packet
75xx.log:Dec 27 06:10:51 [24.92.1.251.10.133] 200: Dec 27 11:10:49 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1569) ->
24.92.180.107(224), 1 packet
75xx.log:Dec 27 06:10:51 [24.92.1.251.10.133] 201: Dec 27 11:10:51 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1570) ->
24.92.20.162(224), 1 packet
75xx.log:Dec 27 07:16:23 [24.92.1.251.10.133] 202: Dec 27 12:16:22 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1590) ->
24.92.180.107(224), 1 packet
75xx.log:Dec 27 07:16:25 [24.92.1.251.10.133] 203: Dec 27 12:16:24 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1591) ->
24.92.20.162(224), 1 packet
75xx.log:Dec 27 08:07:51 [24.92.1.251.10.133] 204: Dec 27 13:07:49 UTC:
%SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(2162) ->
24.92.180.107(224), 1 packet

---------------------Begin Sample Spam----------------------
Return-Path: <bestautoguys15733 () earthlink net>
Received: from  rly-za02.mx.aol.com (rly-za02.mail.aol.com [172.31.36.98])
by air-za03.mail.aol.com (v67.7) with ESMTP; Fri, 07 Jan 2000 10:08:25 -0500
Received: from  tower.earthlink.net (dt081na2.tampabay.rr.com
[24.92.20.162]) by rly-za02.mx.aol.com (v67.7) with ESMTP; Fri, 07 Jan 2000
10:08:11 -0500
Received: from account.58-126-182-153.takondou.jp [58.126.182.153] by
tower.earthlink.net
  (SMTPD32-5.01 EVAL) id A5C4843D1; Fri, 7 Jan 2000 09:29:19 PDT
Message-Id: <4.1.20000107846859.880415 () serv011 takondou jp>
X-Sender:  (Unverified)
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1
Date: Fri, 7 Jan 2000 09:46:36
From: <bestautoguys15733 () earthlink net>
Subject: Get that New Car at Dealer Invoice.
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"

#####     Offending message including original headers:
Subj:   Get that New Car at Dealer Invoice.
Date:   1/7/2000 10:08:26 AM Eastern Standard Time
From:   bestautoguys15733 () earthlink net

Do you want a new car or truck,
but...

* don't think you can afford one?
* your credit is too bad?
* are tired of being taken advantage of by the dealer?
* want it at almost factory invoice price?
* want the deal to be the best it can be?

Or maybe you just want to find out how
low you can possibly get the payments
on that new car or truck...
Then Click Here
http://204.4.8.51/users/bestauto/

---------------------End Sample Spam----------------------


--
Aaron Higbee
Security Administrator - Road Runner Security
-----------------------------------------
PGP Id: 0x0034DD13
PGP Fingerprint :73F7 B51F 97CC 1A18 40AF 6E91 6573 D9F4 0034 DD13
--
Previous By Date Next
Previous By Thread Next

Current thread: