[Dshield] Re: intrusion attempts

John Sage jsage at finchhaven.com
Tue Aug 19 15:32:39 GMT 2003


Reality check:

On Mon, Aug 18, 2003 at 02:17:01PM -0400, Kenneth Coney wrote:
> He is not alone.  I blocked my RPC ports over a year or two ago
(back when there was an issue with MS Instant Messenger qm and Lexmark
started adding RPC calls to their printer installation in anticipation
of the new XP), and I am fully patched.

Blocking ports does not stop probes from happening.


> I have been experiencing about 14 attempts a day to connect to my
machine on port 17300 and 1433 TCP and 1434 UDP since Thursday.  All
from different I.P.s.  Two so persistent (3 tries in 48 hr.) I just
went ahead and created a rule to perm. block the IP (I have no idea
who they resolve to, and don't much care as I classify an uninvited
connection as not friendly). 

Blocking ports does not stop probes from happening.


> Like most here, I am getting too many port 135 attempts to count
(all blocked).  I also get the backdoor trojan blocked alerts. 

You've successfully blocked these probes; what more do you expect to
happen?


> (Interestingly enough those normally don't show up in the Norton
Internet Security Firewall log, although they do show up in the Alert
log.)  Like IMC, I am dial up.  I have an updated TDS and scans show
nothing, likewise Norton AV (up to date) shows nothing.  Even AdAware
shows nothing.   The DShield list of dangerous ports is clearly not
complete.

Which "list" are you talking about? The list of "dangerous ports" is
very large; but, repeat after me:

Blocking ports does not stop probes from happening.


> There is more going on than just a worm that attacks 135.  My
question is does a variant of that worm attempt to exploit the buffer
overflow vulnerability in 17300, or is that something else sliding
under our radar? 

Yup. 

17300 is (probably..) this:

Aug 18 17:48:36 greatwall snort: [1:0:0] TCP inbound to 17300 Kuang2
 {TCP} 68.69.0.146:4507 -> 12.82.134.102:17300
Aug 18 17:48:36 greatwall snort: [1:0:0] TCP inbound to 17300 Kuang2
 {TCP} 68.69.0.146:4507 -> 12.82.134.102:17300
Aug 18 17:48:37 greatwall snort: [1:0:0] TCP inbound to 17300 Kuang2
 {TCP} 68.69.0.146:4507 -> 12.82.134.102:17300

27374 is (probably..) this:

Aug 19 08:22:41 greatwall snort: [1:0:0] TCP inbound to 27374 SubSeven
 {TCP} 69.22.1.152:2735 -> 12.82.133.112:27374
Aug 19 08:22:41 greatwall snort: [1:0:0] TCP inbound to 27374 SubSeven
 {TCP} 69.22.1.152:2735 -> 12.82.133.112:27374
Aug 19 08:22:43 greatwall snort: [1:0:0] TCP inbound to 27374 SubSeven
 {TCP} 69.22.1.152:2735 -> 12.82.133.112:27374


The list goes on and on and on.



- John
-- 
"Warning: time of day goes back, taking countermeasures."




More information about the list mailing list