Security Incidents mailing list archives

RE: TCP port 139 probes

From: "Brenna Primrose" <drxlecter () phreaker net>
Date: Wed, 10 Jul 2002 12:39:43 -0500

Several of the machines which have probed me are also the same way.
However, I noticed that nearly all of them had some sort of "porn
dialer" installed.  Coincidence?  Probably since obviously these people
have no idea what is on their machines...

Brenna

http://profiles.yahoo.com/absolut_contagion 
http://gsa.creighton.edu
AIM - absolutxpsycho
Yahoo! - absolut_contagion
ICQ - 1363187
MSN - r00t () creighton edu 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GSS d-- s: a-- C++ UL++++ P+ L+ E W++ N+ o-- K- w+ 
O-- M V-- PS++ PE Y+ PGP- t-- 5-- X++ R- tv+ b+++ DI D+ 
G e* h- r++ x+ 
------END GEEK CODE BLOCK------

-----Original Message-----
From: Pavel Kankovsky [mailto:peak () argo troja mff cuni cz] 
Sent: Wednesday, July 10, 2002 4:18 AM
To: incidents () securityfocus com
Subject: RE: TCP port 139 probes

On Wed, 10 Jul 2002, Dan Irwin wrote:

At least one of these machines appeared to be insecure and i could
enumerate shares etc with smbclient -L.


Bingo. I looked at some of the source addresses and saw windows
9x machines with publicly accesible shares (I could access them using 
an empty username and password). In two or three cases, I checked
whether
the share was writable and it was. Having done a superficial examination
of system directories on those machines (they had a publicly accesible
share, ergo I was invited, wasn't I? <g>) I found some wierd files on
one
of those machines:

  winhlp32.exe                        A   317440  Fri Jul  5 15:43:08
2002
  notepad.exe                         A   317440  Fri Jul  5 15:43:08
2002
  control.exe                         A   317440  Fri Jul  5 15:43:08
2002
  scanregw.exe                        A   317440  Fri Jul  5 15:43:08
2002
  ifnhlp.sys                          A   317440  Tue Jul  9 22:20:00
2002
  scanregw.exe                        A   317440  Fri Jul  5 15:43:40
2002
  loadpe.com                          A   317440  Fri Jul  5 15:43:40
2002
  msiexec.exe                         A   317440  Fri Jul  5 15:43:08
2002
  wf2k.exe                            A   317440  Fri Jul  5 15:43:40
2002

I downloaded 3 of them and they all seem to be compressed executables
having a common prefix, and there are some fragments of strings ("rom",
"y smt", ") with", "ESM", "Mime-", "-Typ", "quit" etc) in that common
prefix suggesting there is some SMTP implementation there--presumably
some kind of malware able to spread via email.

But I did not find anything similar on other machines I examined.

--Pavel Kankovsky aka Peak  [ Boycott
Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for
assimilation."


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

TCP port 139 probes Pavel Kankovsky (Jul 09)
- Re: TCP port 139 probes H C (Jul 09)
- <Possible follow-ups>
- RE: TCP port 139 probes Dan Irwin (Jul 09)
  - RE: TCP port 139 probes Pavel Kankovsky (Jul 10)
    - RE: TCP port 139 probes Brenna Primrose (Jul 10)
    - RE: TCP port 139 probes H C (Jul 10)
    - RE: TCP port 139 probes Ryan Russell (Jul 12)