Subject: [Dshield] FYI - Port 21 Possible DOS Attack

KeithTarrant KeithTarrant at spamcop.net
Sun Sep 29 23:32:12 GMT 2002


Somebody may have installed their own FTP server on your system, perhaps
to share warez (packages with copy protection broken), hackerware or
pornography, either something they don't want to store on their own
computer or something they don't have the bandwidth to share.

Since it has been a couple of days and they still haven't shared it with
their friends, my bet would be on it being something they don't want on
their own machine.

You should check to see if they installed their own FTP server.

Also,are accessing they accessing the FTP server you installed.

You can do a search in google or on www.cert.org to find tips on this.

http://www.mynetwatchman.com/kb/security/articles/winforensics/

- Keith
----- Original Message -----
From: "Grant Thurman" <Grant at netprecision.net>
To: <list at dshield.org>
Cc: <Arsene.Wauters at rug.ac.be>
Sent: Sunday, September 29, 2002 11:10 AM
Subject: Subject: [Dshield] FYI - Port 21 Possible DOS Attack


> Had same issue, it's some kid that is a student at:
>
> OrgName:    University of Ghent
> OrgID:      157.193.127.240 UNIVER-54
> NetRange:   157.193.0.0 - 157.193.255.255
>
> Conatact: Arsene.Wauters at rug.ac.be
>
> Grant
>
> -----Original Message-----
> From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf Of
> list-request at dshield.org
> Sent: Sunday, September 29, 2002 9:00 AM
> To: list at dshield.org
> Subject: Dshield digest, Vol 1 #807 - 3 msgs
>
>
> Send Dshield mailing list submissions to
> list at dshield.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://www.dshield.org/mailman/listinfo/list
> or, via email, send a message with subject or body 'help' to
> list-request at dshield.org
>
> You can reach the person managing the list at
> list-admin at dshield.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Dshield digest..."
>
>
> Today's Topics:
>
>    1. [LOGS] Odd: UDP:137 probes (John Sage)
>    2. FYI - Port 21 Possible DOS Attack (Jim Gifford)
>    3. question.... (Karen)
>
> -- __--__--
>
> Message: 1
> Date: Sat, 28 Sep 2002 15:31:55 -0700
> From: John Sage <jsage at finchhaven.com>
> To: list at dshield.org
> Subject: [Dshield] [LOGS] Odd: UDP:137 probes
> Reply-To: list at dshield.org
>
> Odd?
>
> 42 probes and counting; no two from the same source IP; the source
> port, however, varies little: 1025, 1026, 1027, 1028, 1029, and then
> scattered others. TTL's are all around 107-115, which suggests
> something Win-ish as the source hosts, decrementing the TTL from 128.
>
>
> #103-137| [2002-09-28 12:03:11]   12.82.138.100:1025 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-120| [2002-09-28 11:42:04] 193.152.210.254:1027 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-147| [2002-09-28 12:22:24]   196.32.149.73:1026 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-112| [2002-09-28 11:27:49]    200.4.254.36:1028 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
>  #103-92| [2002-09-28 08:28:17]   200.48.189.83:1025 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-103| [2002-09-28 09:37:03]   200.67.189.25:1104 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-151| [2002-09-28 13:08:58]    200.73.40.36:1025 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-114| [2002-09-28 11:29:53]    203.79.191.2:1025 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
>  #103-96| [2002-09-28 08:44:58]   208.169.78.68:1025 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-161| [2002-09-28 14:15:01] 210.143.153.199:1027 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-150| [2002-09-28 12:55:08]  211.254.125.61:1026 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-111| [2002-09-28 11:22:32]   211.53.129.93:1025 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-159| [2002-09-28 14:04:12]    211.79.78.87:1025 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-100| [2002-09-28 09:27:08]     213.7.99.39:1025 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
>  #103-10| [2002-09-28 08:16:01]   213.99.139.72:1025 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-101| [2002-09-28 09:27:26]  217.82.175.205:1025 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-108| [2002-09-28 11:03:55]  218.148.219.35:1025 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-152| [2002-09-28 13:09:05] 218.165.176.121:1025 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
>  #103-91| [2002-09-28 08:24:26] 218.233.193.141:1025 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-149| [2002-09-28 12:54:39] 218.234.212.131:1029 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
>  #103-95| [2002-09-28 08:42:25]   24.141.33.160:1028 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
>  #103-98| [2002-09-28 09:19:18]  24.243.165.244:3292 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-153| [2002-09-28 13:35:10]   24.87.161.126:1025 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
>  #103-94| [2002-09-28 08:40:53]   61.224.197.67:1026 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-110| [2002-09-28 11:17:42]   61.230.125.62:1027 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-113| [2002-09-28 11:29:35]    61.32.145.18:1025 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-106| [2002-09-28 10:11:21]    61.33.113.32:1038 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-109| [2002-09-28 11:11:30]    61.37.180.38:1035 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
>   #103-8| [2002-09-28 08:09:19]   61.38.215.123:1025 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
>  #103-97| [2002-09-28 08:52:25]     61.41.63.28:1027 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-107| [2002-09-28 10:37:58]   62.194.62.223:1025 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
>  #103-93| [2002-09-28 08:31:16]  62.251.162.162:1025 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
>   #103-9| [2002-09-28 08:10:47]   62.30.228.119:1026 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-119| [2002-09-28 11:39:06]    63.105.27.99:1733 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-105| [2002-09-28 10:10:13]   64.231.161.28:1025 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
>  #103-99| [2002-09-28 09:20:42]     65.92.17.40:1028 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-104| [2002-09-28 10:06:29]   66.127.27.202:1025 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
>   #103-7| [2002-09-28 07:56:52]   66.166.63.138:1028 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-148| [2002-09-28 12:24:46]    67.34.15.158:1414 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-154| [2002-09-28 13:48:02]      67.81.3.84:1025 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-160| [2002-09-28 14:05:56]   80.133.59.196:1025 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
> #103-102| [2002-09-28 09:36:05]  80.138.180.106:1025 ->
> 12.82.137.228:137  UDP to 137 netBIOS ns
>
>
> Packet contents seem to be "normal" for this sort of thing:
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+
> 09/28-07:56:52.009771 66.166.63.138:1028 -> 12.82.137.228:137
> UDP TTL:115 TOS:0x0 ID:20655 IpLen:20 DgmLen:78
> Len: 58
> 0x0000: 45 00 00 4E 50 AF 00 00 73 11 DE 89 42 A6 3F 8A
> E..NP...s...B.?.
> 0x0010: 0C 52 89 E4 04 04 00 89 00 3A A3 3D 01 00 00 10
> .R.......:.=....
> 0x0020: 00 01 00 00 00 00 00 00 20 43 4B 41 41 41 41 41  ........
> CKAAAAA
> 0x0030: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
> AAAAAAAAAAAAAAAA
> 0x0040: 41 41 41 41 41 41 41 41 41 00 00 21 00 01        AAAAAAAAA..!..
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+
> 09/28-08:09:19.554838 61.38.215.123:1025 -> 12.82.137.228:137
> UDP TTL:107 TOS:0x0 ID:13345 IpLen:20 DgmLen:78
> Len: 58
> 0x0000: 45 00 00 4E 34 21 00 00 6B 11 70 A6 3D 26 D7 7B
> E..N4!..k.p.=&.{
> 0x0010: 0C 52 89 E4 04 01 00 89 00 3A 10 CF 01 00 00 10
> .R.......:......
> 0x0020: 00 01 00 00 00 00 00 00 20 43 4B 41 41 41 41 41  ........
> CKAAAAA
> 0x0030: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
> AAAAAAAAAAAAAAAA
> 0x0040: 41 41 41 41 41 41 41 41 41 00 00 21 00 01        AAAAAAAAA..!..
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+
> 09/28-08:10:47.013637 62.30.228.119:1026 -> 12.82.137.228:137
> UDP TTL:111 TOS:0x0 ID:6105 IpLen:20 DgmLen:78
> Len: 58
> 0x0000: 45 00 00 4E 17 D9 00 00 6F 11 7A FA 3E 1E E4 77
> E..N....o.z.>..w
> 0x0010: 0C 52 89 E4 04 02 00 89 00 3A 02 DA 01 00 00 10
> .R.......:......
> 0x0020: 00 01 00 00 00 00 00 00 20 43 4B 41 41 41 41 41  ........
> CKAAAAA
> 0x0030: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
> AAAAAAAAAAAAAAAA
> 0x0040: 41 41 41 41 41 41 41 41 41 00 00 21 00 01        AAAAAAAAA..!..
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+
> 09/28-08:16:01.315182 213.99.139.72:1025 -> 12.82.137.228:137
> UDP TTL:107 TOS:0x0 ID:60720 IpLen:20 DgmLen:78
> Len: 58
> 0x0000: 45 00 00 4E ED 30 00 00 6B 11 6B 8C D5 63 8B 48
> E..N.0..k.k..c.H
> 0x0010: 0C 52 89 E4 04 01 00 89 00 3A C4 C4 01 00 00 10
> .R.......:......
> 0x0020: 00 01 00 00 00 00 00 00 20 43 4B 41 41 41 41 41  ........
> CKAAAAA
> 0x0030: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
> AAAAAAAAAAAAAAAA
> 0x0040: 41 41 41 41 41 41 41 41 41 00 00 21 00 01        AAAAAAAAA..!..
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+
> 09/28-08:24:26.786360 218.233.193.141:1025 -> 12.82.137.228:137
> UDP TTL:113 TOS:0x0 ID:51598 IpLen:20 DgmLen:78
> Len: 58
> 0x0000: 45 00 00 4E C9 8E 00 00 71 11 4D 63 DA E9 C1 8D
> E..N....q.Mc....
> 0x0010: 0C 52 89 E4 04 01 00 89 00 3A 88 F9 01 00 00 10
> .R.......:......
> 0x0020: 00 01 00 00 00 00 00 00 20 43 4B 41 41 41 41 41  ........
> CKAAAAA
> 0x0030: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
> AAAAAAAAAAAAAAAA
> 0x0040: 41 41 41 41 41 41 41 41 41 00 00 21 00 01        AAAAAAAAA..!..
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+
> <snip>
>
>
> - John
> --
> "It's a troll! Run!^H^H^H^H Laugh!"
>
> PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
> Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705
>
>
> -- __--__--
>
> Message: 2
> From: "Jim Gifford" <maillist at jg555.com>
> To: <list at dshield.org>
> Date: Sat, 28 Sep 2002 20:51:10 -0500
> Subject: [Dshield] FYI - Port 21 Possible DOS Attack
> Reply-To: list at dshield.org
>
> For the last two days I noticed a constant connection to a port 21 on my
> server. I kept an eye on it, but then I decided to check it out further,
> because after 48 hours, there is a problem.
>
> Then I checked with another person who also has an ftp server, he had
> the
> same ip connected for 3 days.
>
> Now for my question, I can't report information to dsheild on this IP
> address, due to the fact, it's not showing up in my iptables log file.
> The
> only way I noticed it was running a utility called iptstate which shows
> all
> connections including ports connected to.
>
> Well here is the ip address 157.193.127.240, resolves to a great name
> heathen1.rug.ac.be.
>
>
> -- __--__--
>
> Message: 3
> From: "Karen" <karenj at worldlynx.net>
> To: "dshieldlist" <list at dshield.org>
> Date: Sun, 29 Sep 2002 01:08:55 -0400
> Subject: [Dshield] question....
> Reply-To: list at dshield.org
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_0009_01C26754.C8318EC0
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> I'm new to the list, and just joined out of curiosity because I keep =
> getting 'pinged', some I've trace on Neo Trace.  This one was strange =
> because it couldn't find who it was.  Any ideas/help?
>
> This was the number
>
> 64.80.74.84  UDP Port 1026
>
> Thanks!
>
> Karen
>
> ------=_NextPart_000_0009_01C26754.C8318EC0
> Content-Type: text/html;
> charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD>
> <META content=3D"text/html; charset=3Diso-8859-1" =
> http-equiv=3DContent-Type>
> <META content=3D"MSHTML 5.00.2919.6307" name=3DGENERATOR>
> <STYLE></STYLE>
> </HEAD>
> <BODY bgColor=3D#ffffff>
> <DIV><FONT size=3D2>I'm new to the list, and just joined out of =
> curiosity because=20
> I keep getting 'pinged', some I've trace on Neo Trace.&nbsp; This one =
> was=20
> strange because it couldn't find who it was.&nbsp; Any =
> ideas/help?</FONT></DIV>
> <DIV>&nbsp;</DIV>
> <DIV><FONT size=3D2>This was the number</FONT></DIV>
> <DIV>&nbsp;</DIV>
> <DIV><FONT size=3D2>64.80.74.84&nbsp; UDP Port 1026</FONT></DIV>
> <DIV>&nbsp;</DIV>
> <DIV><FONT size=3D2>Thanks!</FONT></DIV>
> <DIV>&nbsp;</DIV>
> <DIV><FONT size=3D2>Karen</FONT></DIV></BODY></HTML>
>
> ------=_NextPart_000_0009_01C26754.C8318EC0--
>
>
>
> -- __--__--
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> http://www.dshield.org/mailman/listinfo/list
>
>
> End of Dshield Digest
>
>





More information about the list mailing list