Security Incidents mailing list archives
Re: Internal Machine making many attempts to connect to Internet on 137
From: "Sam Evans" <sam () neuroflux com>
Date: Tue, 11 Dec 2001 17:59:18 -0700
I have seen something similar, where the machine was clean, but seeing a lot of netbios originate from the server. It turned out that Webtrends would do log statistics on the web server and when it could not resolve an IP Address using DNS, it would try to connect to that IP via netbios to get it's machine name. It could also be some sort of built in NT/IIS feature that if you have name resolution turned on in the IIS logging (is there a feature to turn it on / off ala Apache?) it may also do the above mentioned actions. Something to think about, as I noticed you are running some sort of statistics service on that machine. -Sam ----- Original Message ----- From: "Seamus Hartmann" <shartmann () fujifilmesys com> To: <incidents () securityfocus com> Sent: Tuesday, December 11, 2001 12:48 PM Subject: Internal Machine making many attempts to connect to Internet on 137
Hello, This is my first post here, so bear with me. I'm looking for information about an exploit that starts searching for Netbios shares across random IP addresses. I have the following Code Red/Code Red II/Nimbda Policy-Map on my external router since August 17th, and this machine was installed post August 17th. http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml This is an internal Windows NT 4.0 machine, patched sp6a and HFNETCHK
states
the following
----------------------------
SERVER01
----------------------------
* WINDOWS NT4SERVER SP6a
NOTE MS98-001 Q169556
NOTE MS99-036 Q155197
NOTE MS99-041 Q242294
NOTE MS01-022 Q296441
Patch NOT Found MS01-041 Q299444
Patch NOT Found MS01-048 Q305399
* Internet Information Server 4.0
NOTE MS99-025 Q184375
NOTE MS00-025 Q259799
NOTE MS00-028 Q260267
Patch NOT Found MS01-044 Q301625
* Internet Explorer 5.5 Gold
Patch NOT Found MS00-093 Q279328
Patch NOT Found MS00-055 Q269368
Norton Corporate Antivirus 7.1 running with 12/6/01 virus data. Full
System
virus scan comes up clean. Fport reports the following strangeness.... look at all that stuff System
is
listening on! FPort v1.33 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com Pid Process Port Proto Path 2 System -> 80 TCP 168 MHSS -> 80 TCP D:\STATISTICSSERVER\MHSS.EXE 95 RpcSs -> 135 TCP C:\WINNT\system32\RpcSs.exe 2 System -> 135 TCP 2 System -> 139 TCP 95 RpcSs -> 1025 TCP C:\WINNT\system32\RpcSs.exe 2 System -> 1025 TCP 102 msdtc -> 1026 TCP C:\WINNT\System32\msdtc.exe 2 System -> 1026 TCP 2 System -> 1027 TCP 102 msdtc -> 1027 TCP C:\WINNT\System32\msdtc.exe 2 System -> 1033 TCP 197 MSTask -> 1033 TCP C:\WINNT\system32\MSTask.exe 197 MSTask -> 1034 TCP C:\WINNT\system32\MSTask.exe 2 System -> 1034 TCP 95 RpcSs -> 1038 TCP C:\WINNT\system32\RpcSs.exe 2 System -> 1038 TCP 2 System -> 1083 TCP 2 System -> 1416 TCP 2 System -> 1709 TCP 2 System -> 1713 TCP 2 System -> 1724 TCP 2 System -> 1725 TCP 2 System -> 1744 TCP 2 System -> 1745 TCP 2 System -> 1747 TCP 2 System -> 1749 TCP 2 System -> 1766 TCP 2 System -> 1786 TCP 2 System -> 1801 TCP 2 System -> 1812 TCP 2 System -> 1915 TCP 2 System -> 1962 TCP 2 System -> 2067 TCP 298 java -> 2067 TCP C:\SITESC~1\java\bin\java.exe 2 System -> 2212 TCP 2 System -> 2233 TCP 2 System -> 2301 TCP 216 Surveyor -> 2301 TCP C:\compaq\survey\Surveyor.EXE 2 System -> 2351 TCP 2 System -> 2570 TCP 2 System -> 2604 TCP 2 System -> 2617 TCP 2 System -> 2654 TCP 2 System -> 3072 TCP 2 System -> 3140 TCP 2 System -> 3145 TCP 2 System -> 3146 TCP 2 System -> 3149 TCP 2 System -> 3152 TCP 2 System -> 3153 TCP 2 System -> 3154 TCP 2 System -> 3155 TCP 2 System -> 3159 TCP 2 System -> 3167 TCP 2 System -> 3200 TCP 2 System -> 3204 TCP 2 System -> 3229 TCP 2 System -> 3232 TCP 2 System -> 3235 TCP 2 System -> 3240 TCP 2 System -> 3244 TCP 2 System -> 3249 TCP 2 System -> 3260 TCP 2 System -> 3271 TCP 2 System -> 3276 TCP 2 System -> 3277 TCP 2 System -> 3301 TCP 2 System -> 3306 TCP 2 System -> 3313 TCP 2 System -> 3320 TCP 2 System -> 3322 TCP 2 System -> 3325 TCP 2 System -> 3328 TCP 2 System -> 3340 TCP 2 System -> 3374 TCP 2 System -> 3441 TCP 2 System -> 3473 TCP 2 System -> 3497 TCP 2 System -> 3498 TCP 2 System -> 3504 TCP 2 System -> 3513 TCP 2 System -> 3526 TCP 2 System -> 3529 TCP 2 System -> 3579 TCP 2 System -> 3610 TCP 2 System -> 3627 TCP 2 System -> 3684 TCP 2 System -> 3739 TCP 2 System -> 3746 TCP 2 System -> 4000 TCP 2 System -> 4052 TCP 2 System -> 4150 TCP 2 System -> 4598 TCP 2 System -> 4859 TCP 2 System -> 4868 TCP 2 System -> 4886 TCP 168 MHSS -> 4886 TCP D:\STATISTICSSERVER\MHSS.EXE 2 System -> 4993 TCP 2 System -> 8888 TCP 298 java -> 8888 TCP C:\SITESC~1\java\bin\java.exe 291 CPQWMGMT -> 49400 TCP
C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
2 System -> 49400 TCP 95 RpcSs -> 135 UDP C:\WINNT\system32\RpcSs.exe 2 System -> 135 UDP 2 System -> 137 UDP 2 System -> 138 UDP 2 System -> 161 UDP 212 snmp -> 161 UDP C:\WINNT\System32\snmp.exe 2 System -> 1035 UDP 212 snmp -> 1035 UDP C:\WINNT\System32\snmp.exe 2 System -> 1036 UDP 212 snmp -> 1036 UDP C:\WINNT\System32\snmp.exe 2 System -> 1750 UDP 417 iexplore -> 1750 UDP
C:\PROGRA~1\Plus!\MICROS~1\iexplore.exe
SFind (another fine Foundstone tool) finds NO streamed files on the
system.
Firewall (Cisco PIX 520 running 6.1.1) holes open to this box are as follows. PIX-6.1.1# sh conduit server.ip.address.here conduit permit icmp host server.ip.address.here any echo-reply
(hitcnt=695)
conduit permit icmp host server.ip.address.here any information-reply
(hitcnt=0)
conduit permit icmp host server.ip.address.here any time-exceeded
(hitcnt=175)
conduit permit tcp host server.ip.address.here eq www any (hitcnt=3649)
conduit permit icmp host server.ip.address.here any (hitcnt=31)
PIX-6.1.1#
IP Auditing turned on at the PIX, and log/drop/reset for attacks.
Edge Router ACL's catching outgoing attempts for Netbios
Syslog logging: enabled (0 messages dropped, 3 messages rate-limited, 0
flushes,
0 overruns)
Console logging: level informational, 20350 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 20365 messages logged
Logging Exception size (8192 bytes)
Trap logging: level informational, 20263 message lines logged
Log Buffer (8192 bytes):
Dec 11 12:45:50: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 205.188.208.168(137), 2 packets
Dec 11 12:45:53: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 208.12.66.194(137), 2 packets
Dec 11 12:45:57: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 205.188.208.103(137), 2 packets
Dec 11 12:46:06: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 205.188.208.169(137), 2 packets
Dec 11 12:46:11: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 205.188.208.139(137), 2 packets
Dec 11 12:46:20: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 204.146.85.150(137), 2 packets
Dec 11 12:46:24: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 63.225.78.198(137), 2 packets
Dec 11 12:46:29: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 163.191.134.150(137), 2 packets
Dec 11 12:46:42: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 63.96.200.5(137), 2 packets
Dec 11 12:46:47: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 152.163.201.192(137), 2 packets
Dec 11 12:46:56: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 152.163.189.65(137), 2 packets
Dec 11 12:47:00: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 63.49.226.31(137), 2 packets
Dec 11 12:47:05: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 139.67.9.129(137), 2 packets
Dec 11 12:47:14: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 206.180.109.14(137), 2 packets
Dec 11 12:47:18: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 24.214.50.228(137), 2 packets
Dec 11 12:47:23: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 205.188.209.166(137), 2 packets
Dec 11 12:47:29: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 198.185.205.177(137), 2 packets
Dec 11 12:47:32: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 24.49.20.122(137), 2 packets
Dec 11 12:47:35: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 65.202.66.10(137), 2 packets
Dec 11 12:47:41: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 165.89.84.242(137), 2 packets
Dec 11 12:47:45: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 172.142.196.127(137), 2 packets
Dec 11 12:47:49: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 64.12.105.31(137), 2 packets
Dec 11 12:47:54: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 63.149.92.4(137), 2 packets
Dec 11 12:47:57: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 24.4.252.110(137), 2 packets
Dec 11 12:48:03: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 24.4.252.111(137), 2 packets
Dec 11 12:48:08: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 205.188.199.167(137), 2 packets
Dec 11 12:48:12: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 205.188.209.12(137), 2 packets
Dec 11 12:48:17: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 63.208.128.70(137), 2 packets
Dec 11 12:48:26: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 139.147.230.38(137), 2 packets
Dec 11 12:48:30: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 131.124.100.124(137), 2 packets
Dec 11 12:48:39: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 12.82.137.160(137), 2 packets
Dec 11 12:48:44: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 66.57.73.140(137), 2 packets
Dec 11 12:48:47: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 24.29.27.66(137), 2 packets
Dec 11 12:48:53: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 129.130.5.39(137), 2 packets
Dec 11 12:48:57: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 198.108.17.232(137), 2 packets
Dec 11 12:49:10: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 216.132.160.66(137), 2 packets
Dec 11 12:49:11: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 24.4.252.249(137), 2 packets
Dec 11 12:49:15: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 207.50.68.2(137), 2 packets
Dec 11 12:49:21: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 207.16.136.22(137), 2 packets
Dec 11 12:49:24: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 208.242.197.6(137), 2 packets
Dec 11 12:49:27: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 141.153.178.100(137), 2 packets
Dec 11 12:49:33: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 209.130.138.227(137), 5 packets
Dec 11 12:49:35: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 64.12.96.8(137), 2 packets
Dec 11 12:49:38: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 64.12.96.10(137), 2 packets
Dec 11 12:49:47: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 24.4.255.93(137), 2 packets
Dec 11 12:49:51: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 24.4.255.92(137), 2 packets
Dec 11 12:49:57: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 216.230.74.226(137), 2 packets
Dec 11 12:50:00: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 168.26.223.33(137), 2 packets
Dec 11 12:50:07: %SEC-6-IPACCESSLOGP: list 101 denied udp
server.ip.address.here(137) -> 167.1.102.100(137), 2 packets
Edge-CiscoRouter#
Anyone seen this behavior before? Any suggestions? I am going to flush and
fill, but I'd like to learn something from the issue, rather than just
have
it be an exercise in the format command! Thanks. Seamus Hartmann Senior Network Engineer Fuji Film eSystems --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Internal Machine making many attempts to connect to Internet on 1 37 Seamus Hartmann (Dec 11)
- Re: Internal Machine making many attempts to connect to Internet on 137 Sam Evans (Dec 11)
- RE: Internal Machine making many attempts to connect to Internet on 137 Nick Elliott (Dec 12)