Security Incidents mailing list archives
Re: DDoS to microsoft sites
From: Hugo van der Kooij <hvdkooij () vanderkooij org>
Date: Wed, 30 Jan 2002 09:19:59 +0100 (CET)
On Tue, 29 Jan 2002, Mike Lewinski wrote:
A port scan of one of the infected hosts shows: 7 Echo 9 Discard 13 Daytime 17 Quote of the Day 19 Character Generator 21 File Transfer Protocol [Control] 25 Simple Mail Transfer 80 World Wide Web HTTP 135 DCE endpoint resolution 139 NETBIOS Session Service 443 https MCom 445 Microsoft-DS 548 AFP over TCP 1025 network blackjack 1026 1027 ICQ? 1433 Microsoft-SQL-Server 5631 pcANYWHEREdata
I am curious what you used for portscanning as you have only half of the pcanywhere ports. The amount of traffic may be normal if one is to download loads of data (like CD ISO images) with an accellerator. Getting a full load of IE6 is a substantial download.
The client claims that they are not running Appletalk (548) but I'm not sure whether to believe. We haven't been able to get console access to that machine to do any further investigation (but have blocked it upstream). Of the above services, most look legit from what I can tell with the exception of 548 and 1025-1027
The high ports are common on windows machines. It's no proof that they are harmless but don't make too much of it. I can't escape the feeling that you are chasing ghosts here. If it is a genuine DoS attempt you would be able to tell from observing the datastream. (getting at least the headers.) Hugo. -- All email send to me is bound to the rules described on my homepage. hvdkooij () vanderkooij org http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- DDoS to microsoft sites Mike Lewinski (Jan 29)
- Re: DDoS to microsoft sites Bronek Kozicki (Jan 30)
- Re: DDoS to microsoft sites Mike Lewinski (Jan 30)
- Re: DDoS to microsoft sites Hugo van der Kooij (Jan 30)
- <Possible follow-ups>
- RE: DDoS to microsoft sites John Campbell (Jan 30)
- RE: DDoS to microsoft sites Adcock, Matt (Jan 30)
- RE: DDoS to microsoft sites H C (Jan 30)
- RE: DDoS to microsoft sites Jason Robertson (Jan 31)
- RE: DDoS to microsoft sites Adcock, Matt (Jan 30)
- RE: DDoS to microsoft sites Dave Ockwell-Jenner (Jan 30)
- Re: Re: DDoS to microsoft sites Mike Lewinski (Jan 31)
- Re: DDoS to microsoft sites Bronek Kozicki (Jan 30)