[Intrusions] brightstor/arcserve backup client hacked
stephane nasdrovisky
stephane.nasdrovisky at paradigmo.com
Thu Mar 3 12:37:13 GMT 2005
Andrew Daviel wrote:
> I have placed a tcpdump capture file with 2 targets
It would be nice to have a full port 41523 capture (I mean with snaplen,
-s, larger than the max packet size : either 0 or 1600).
The captured 300 bytes only contains nops (90), which is not googlable.
I submited the exe files to norman sandbox (
http://sandbox.norman.no/live_4.html ), it found nothing interesting. I
have no soon to be reinstalled pc, so I didn't try to execute those .exe
(which looks like self executable archives, compressed with upx ?)
Submitting the extracted exe files will probably tell you more. Those
files ( extracted from C:\WINNT\system32\kit.exe ) are:
caclsENG.exe
isplog.exe (installed as a service)
se.exe
syslog.exe
tskman.exe (installed as a service)
There's also a backdoor on port 888.
> Meanwhile we blocked port 187 and also the original ARCserve port
> 41523 pending an update of
> the backup client.
add port 888 to your list !
> Just trying to think if 41523 might be used as a legitimate inbound
> port for http requests, ftp, NFS etc.
The official rfc compliant answer is no, but most os are configured in
such a way that they may use this port.
'ephemeral ports' are 49152-65535, but most os use 1024-65535 (ms) or
32768-65535 (sun).
> so maybe we don't want to statically block 41523 at the router
> indefinitely ...
block the syn packets with a destination port of 41523 and destination
ip in your ip range. (you may even block any unused service and only
allow services you provide (80 for http, 25 for mail, ...))
Anyway, nt, w2k, ... are using a source port of 1024 (incremented by 1
each time a new tcp session is openned), 41523 will not happen before
your pc needs a reboot.
> If a packet fails on one port will it be retried on another port or
> the same one ?
No, the source and destination ports are not changing during a tcp
sessions (replies from your server will swap source and destination ports).
The source port is usually incremented (+1) by the client (the browser,
the mail sender,...) for every connection. The destination port depands
on the service.
More information about the Intrusions
mailing list