[Dshield] Blaster, or AOL strangeness...

john beck jbeck80 at hotmail.com
Tue Oct 7 20:40:25 GMT 2003


Good answers and I checked, there are many trojans that use 4444, here is a 
website that lists all ports trojans use, could help track what is going on.
http://www.simovits.com/sve/nyhetsarkiv/1999/nyheter9902.html
Sans has a list but the one above has more info.
http://www.sans.org/resources/idfaq/oddports.php

JB


>
>We have been seeing this for at least one month.  I have been in contact 
>with someone via another list who works for AOL.  There is nothing valid on 
>port 4444 in the entire 205.188.134.xxx class C.  We haven't yet done any 
>heavy packet digging, but some preliminary looking shows that AOL IM makes 
>some use of 4444 on the client side.  The Sr Net Engineer here has also see 
>some port scans that match the pattern of hits we saw on 4444.  The 4444 
>destination hits always occurred in patterns of 3 or 4.  They would occur 
>in clumps of 3 or 4, sometimes up to 4 times at once, generating  a total 
>of 12 to 16 packets per client, on average.  We still don't know what is 
>triggering this.  Anyone else...?
>
>Glad we're not the only ones...
>Jason Brooks
>
>
>At 03:31 PM 10/7/2003 -0400, you wrote:
>>Since applying filters to port 4444 (Blaster), some unusual entries have 
>>shown up.  Local machines are trying to connect to <host>.websys.aol.com 
>>on port 4444.  What's up with this?
>>
>>Examples (munged to RFC1918 space):
>>>Oct  7 13:38:57.372 EDT: list dorm-in denied tcp 172.18.57.70(4011) -> 
>>>205.188.134.233(4444), 1 packet
>>>Oct  7 13:39:19.757 EDT: list dorm-in denied tcp 172.18.57.70(4013) -> 
>>>205.188.134.233(4444), 1 packet
>>>Oct  7 13:39:54.317 EDT: list dorm-in denied tcp 172.18.57.70(4018) -> 
>>>205.188.134.233(4444), 1 packet
>>>Oct  7 13:40:17.038 EDT: list dorm-in denied tcp 172.18.57.70(4021) -> 
>>>205.188.134.233(4444), 1 packet
>>>Oct  7 13:42:48.849 EDT: list dorm-in denied tcp 172.18.57.70(4011) -> 
>>>205.188.134.233(4444), 2 packets
>>>Oct  7 13:43:03.833 EDT: list dorm-in denied tcp 172.18.57.70(4013) -> 
>>>205.188.134.233(4444), 2 packets
>>>Oct  7 13:43:06.021 EDT: list dorm-in denied tcp 172.18.57.70(4018) -> 
>>>205.188.134.233(4444), 2 packets
>>>Oct  7 13:43:10.833 EDT: list dorm-in denied tcp 172.18.57.70(4021) -> 
>>>205.188.134.233(4444), 1 packet
>>>Oct  7 13:43:14.113 EDT: list dorm-in denied tcp 172.18.57.70(4022) -> 
>>>205.188.134.233(4444), 1 packet
>>>Oct  7 13:54:13.978 EDT: list dorm-in denied tcp 172.18.121.247(1726) -> 
>>>205.188.134.237(4444), 1 packet
>>>Oct  7 13:54:34.911 EDT: list dorm-in denied tcp 172.18.121.247(1727) -> 
>>>205.188.134.237(4444), 1 packet
>>>Oct  7 13:59:54.805 EDT: list dorm-in denied tcp 172.18.121.247(1726) -> 
>>>205.188.134.237(4444), 2 packets
>>>Oct  7 14:15:54.324 EDT: list dorm-in denied tcp 172.18.33.71(3451) -> 
>>>205.188.134.234(4444), 1 packet
>>>Oct  7 14:16:19.768 EDT: list dorm-in denied tcp 172.18.33.71(3453) -> 
>>>205.188.134.234(4444), 1 packet
>>>Oct  7 14:20:54.913 EDT: list dorm-in denied tcp 172.18.33.71(3451) -> 
>>>205.188.134.234(4444), 2 packets
>>>Oct  7 14:21:54.918 EDT: list dorm-in denied tcp 172.18.33.71(3453) -> 
>>>205.188.134.234(4444), 2 packets
>>>Oct  7 15:10:55.944 EDT: list dorm-in denied tcp 172.18.17.116(50268) -> 
>>>205.188.134.234(4444), 1 packet
>>>Oct  7 15:12:10.793 EDT: list dorm-in denied tcp 172.18.17.116(50269) -> 
>>>205.188.134.234(4444), 1 packet
>>>Oct  7 15:12:26.773 EDT: list dorm-in denied tcp 172.18.17.116(50273) -> 
>>>205.188.134.234(4444), 1 packet
>>>Oct  7 15:16:55.195 EDT: list dorm-in denied tcp 172.18.17.116(50268) -> 
>>>205.188.134.234(4444), 8 packets
>>>Oct  7 15:17:55.199 EDT: list dorm-in denied tcp 172.18.17.116(50269) -> 
>>>205.188.134.234(4444), 4 packets
>>
>>>Oct  7 14:39:11.441 EDT: list stop-sql denied tcp 172.16.89.50(1134) -> 
>>>205.188.134.237(4444), 1 packet
>>>Oct  7 14:39:33.046 EDT: list stop-sql denied tcp 172.16.89.50(1136) -> 
>>>205.188.134.237(4444), 1 packet
>>>Oct  7 14:39:55.254 EDT: list stop-sql denied tcp 172.16.89.50(1141) -> 
>>>205.188.134.235(4444), 1 packet
>>>Oct  7 14:45:12.234 EDT: list stop-sql denied tcp 172.16.89.50(1136) -> 
>>>205.188.134.237(4444), 2 packets
>>
>>>[jeff at netsyslog jeff]$ host 205.188.134.233
>>>233.134.188.205.in-addr.arpa domain name pointer ht-s11.websys.aol.com.
>>>[jeff at netsyslog jeff]$ host 205.188.134.234
>>>234.134.188.205.in-addr.arpa domain name pointer ht-s12.websys.aol.com.
>>>[jeff at netsyslog jeff]$ host 205.188.134.235
>>>235.134.188.205.in-addr.arpa domain name pointer ht-s13.websys.aol.com.
>>>[jeff at netsyslog jeff]$ host 205.188.134.237
>>>237.134.188.205.in-addr.arpa domain name pointer ht-s15.websys.aol.com.
>>
>>Jeff
>>
>>
>>_______________________________________________
>>list mailing list
>>list at dshield.org
>>To change your subscription options (or unsubscribe), see: 
>>http://www.dshield.org/mailman/listinfo/list
>
>Jason Brooks
>Information Security Technician
>IITS
>116 - B Coyner
>Longwood University
>201 High Street
>Farmville, VA 23901
>(434) 395-2796
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list

_________________________________________________________________
Share your photos without swamping your Inbox.  Get Hotmail Extra Storage 
today! http://join.msn.com/?PAGE=features/es




More information about the list mailing list