[Dshield] port 1026-1031 update

Rodrigues, Philip phil.rodrigues at uconn.edu
Tue Dec 2 20:04:52 GMT 2003

On Tue, 2003-12-02 at 06:13, Chris Brenton wrote:
> Translation: "ye ha, you may have had multiple hosts that have been
> compromised" ;-p

Yeah, that's never happened before... :-)

We had four hosts scan for this by the end of last night - all starting
after 1600 EST.  The incoming scans I previously described ramped up
until midnight local, when they peaked then backed off.  Our hosts all
stopped scanning at midnight local.  My guess is that the external hosts
also stopped at midnight local to them, which would appear as a gradual
back-off of incoming scans to us.

Looking over the audit logs today I noticed three of the four hosts
visited the exact same two websites right before they started scanning. 
These sites were: unknown.servercentral.net
824 byte http, then about 1.3 MB http nt11.nshosts.com
746 byte http miliseconds after the first page

One minute after they hit the second page the outbound connections to
1026/1030 start.  All with "normal" source ports (increasing from where
the last source port left off), and all with "00 00" in the payload.  A
few packets from one hosts are attached.

When a number of compromised hosts all connect to the same (non-AOL,
etc) website before they start behaving oddly, my guess of late is they
were exploited through an unpatched IE vulnerability.  We have put our
hands on one host briefly and confirmed it was well out of date on a
number of patches.  We may even find the app that kicked this off.

Here are the IPAudit logs from one host.  The columns are local IP,
remote IP, protocol, local port, remote port, in bytes, out bytes, time
started: 6 1485 80 88472 4249 17:27:21.5791 6 1486 80 15401 1203 17:27:27.9025 6 1489 80 4802 1159 17:28:16.9154 6 1490 80 1331056 25025 17:28:41.2205 6 1491 80 824 408 17:29:20.3522 6 1492 80 746 410 17:29:20.4347
(snip one min) 17 1528 1026 0 44 17:30:20.0967 17 1529 1030 0 44 17:30:20.0979 17 1528 1026 0 44 17:30:20.1787 17 1529 1030 0 44 17:30:20.1790 
(these scans continue until midnight local)

I would agree that this was Windows Messenger spam, but they do not
appear to contain any ability to send a message.  They just tickle the
port and don't appear to connect.

The external scans seem to have dropped off to lower but steady level,
about 600 unique external IPs per hour for most of today.


Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu

More information about the list mailing list