[Dshield] Blaster, or AOL strangeness...

Jason Brooks jbrooks at longwood.edu
Wed Oct 8 12:14:32 GMT 2003


John,
         I would wonder if this is the case.  These are the ports infected 
machines <<listen>> on, yes?  Unless AOL has an entire class C infected, 
this doesn't appear to be the case, at least from what we've seen here.  My 
contact with an individual at AOL stated that there was no openings on port 
4444 on the class C in question.
Jason Brooks
At 03:40 PM 10/7/2003 -0500, you wrote:
>Good answers and I checked, there are many trojans that use 4444, here is 
>a website that lists all ports trojans use, could help track what is going on.
>http://www.simovits.com/sve/nyhetsarkiv/1999/nyheter9902.html
>Sans has a list but the one above has more info.
>http://www.sans.org/resources/idfaq/oddports.php
>
>JB
>
>
>>
>>We have been seeing this for at least one month.  I have been in contact 
>>with someone via another list who works for AOL.  There is nothing valid 
>>on port 4444 in the entire 205.188.134.xxx class C.  We haven't yet done 
>>any heavy packet digging, but some preliminary looking shows that AOL IM 
>>makes some use of 4444 on the client side.  The Sr Net Engineer here has 
>>also see some port scans that match the pattern of hits we saw on 
>>4444.  The 4444 destination hits always occurred in patterns of 3 or 
>>4.  They would occur in clumps of 3 or 4, sometimes up to 4 times at 
>>once, generating  a total of 12 to 16 packets per client, on average.  We 
>>still don't know what is triggering this.  Anyone else...?
>>
>>Glad we're not the only ones...
>>Jason Brooks
>>
>>
>>At 03:31 PM 10/7/2003 -0400, you wrote:
>>>Since applying filters to port 4444 (Blaster), some unusual entries have 
>>>shown up.  Local machines are trying to connect to <host>.websys.aol.com 
>>>on port 4444.  What's up with this?
>>>
>>>Examples (munged to RFC1918 space):
>>>>Oct  7 13:38:57.372 EDT: list dorm-in denied tcp 172.18.57.70(4011) -> 
>>>>205.188.134.233(4444), 1 packet
>>>>Oct  7 13:39:19.757 EDT: list dorm-in denied tcp 172.18.57.70(4013) -> 
>>>>205.188.134.233(4444), 1 packet
>>>>Oct  7 13:39:54.317 EDT: list dorm-in denied tcp 172.18.57.70(4018) -> 
>>>>205.188.134.233(4444), 1 packet
>>>>Oct  7 13:40:17.038 EDT: list dorm-in denied tcp 172.18.57.70(4021) -> 
>>>>205.188.134.233(4444), 1 packet
>>>>Oct  7 13:42:48.849 EDT: list dorm-in denied tcp 172.18.57.70(4011) -> 
>>>>205.188.134.233(4444), 2 packets
>>>>Oct  7 13:43:03.833 EDT: list dorm-in denied tcp 172.18.57.70(4013) -> 
>>>>205.188.134.233(4444), 2 packets
>>>>Oct  7 13:43:06.021 EDT: list dorm-in denied tcp 172.18.57.70(4018) -> 
>>>>205.188.134.233(4444), 2 packets
>>>>Oct  7 13:43:10.833 EDT: list dorm-in denied tcp 172.18.57.70(4021) -> 
>>>>205.188.134.233(4444), 1 packet
>>>>Oct  7 13:43:14.113 EDT: list dorm-in denied tcp 172.18.57.70(4022) -> 
>>>>205.188.134.233(4444), 1 packet
>>>>Oct  7 13:54:13.978 EDT: list dorm-in denied tcp 172.18.121.247(1726) 
>>>>-> 205.188.134.237(4444), 1 packet
>>>>Oct  7 13:54:34.911 EDT: list dorm-in denied tcp 172.18.121.247(1727) 
>>>>-> 205.188.134.237(4444), 1 packet
>>>>Oct  7 13:59:54.805 EDT: list dorm-in denied tcp 172.18.121.247(1726) 
>>>>-> 205.188.134.237(4444), 2 packets
>>>>Oct  7 14:15:54.324 EDT: list dorm-in denied tcp 172.18.33.71(3451) -> 
>>>>205.188.134.234(4444), 1 packet
>>>>Oct  7 14:16:19.768 EDT: list dorm-in denied tcp 172.18.33.71(3453) -> 
>>>>205.188.134.234(4444), 1 packet
>>>>Oct  7 14:20:54.913 EDT: list dorm-in denied tcp 172.18.33.71(3451) -> 
>>>>205.188.134.234(4444), 2 packets
>>>>Oct  7 14:21:54.918 EDT: list dorm-in denied tcp 172.18.33.71(3453) -> 
>>>>205.188.134.234(4444), 2 packets
>>>>Oct  7 15:10:55.944 EDT: list dorm-in denied tcp 172.18.17.116(50268) 
>>>>-> 205.188.134.234(4444), 1 packet
>>>>Oct  7 15:12:10.793 EDT: list dorm-in denied tcp 172.18.17.116(50269) 
>>>>-> 205.188.134.234(4444), 1 packet
>>>>Oct  7 15:12:26.773 EDT: list dorm-in denied tcp 172.18.17.116(50273) 
>>>>-> 205.188.134.234(4444), 1 packet
>>>>Oct  7 15:16:55.195 EDT: list dorm-in denied tcp 172.18.17.116(50268) 
>>>>-> 205.188.134.234(4444), 8 packets
>>>>Oct  7 15:17:55.199 EDT: list dorm-in denied tcp 172.18.17.116(50269) 
>>>>-> 205.188.134.234(4444), 4 packets
>>>
>>>>Oct  7 14:39:11.441 EDT: list stop-sql denied tcp 172.16.89.50(1134) -> 
>>>>205.188.134.237(4444), 1 packet
>>>>Oct  7 14:39:33.046 EDT: list stop-sql denied tcp 172.16.89.50(1136) -> 
>>>>205.188.134.237(4444), 1 packet
>>>>Oct  7 14:39:55.254 EDT: list stop-sql denied tcp 172.16.89.50(1141) -> 
>>>>205.188.134.235(4444), 1 packet
>>>>Oct  7 14:45:12.234 EDT: list stop-sql denied tcp 172.16.89.50(1136) -> 
>>>>205.188.134.237(4444), 2 packets
>>>
>>>>[jeff at netsyslog jeff]$ host 205.188.134.233
>>>>233.134.188.205.in-addr.arpa domain name pointer ht-s11.websys.aol.com.
>>>>[jeff at netsyslog jeff]$ host 205.188.134.234
>>>>234.134.188.205.in-addr.arpa domain name pointer ht-s12.websys.aol.com.
>>>>[jeff at netsyslog jeff]$ host 205.188.134.235
>>>>235.134.188.205.in-addr.arpa domain name pointer ht-s13.websys.aol.com.
>>>>[jeff at netsyslog jeff]$ host 205.188.134.237
>>>>237.134.188.205.in-addr.arpa domain name pointer ht-s15.websys.aol.com.
>>>
>>>Jeff
>>>
>>>
>>>_______________________________________________
>>>list mailing list
>>>list at dshield.org
>>>To change your subscription options (or unsubscribe), see: 
>>>http://www.dshield.org/mailman/listinfo/list
>>
>>Jason Brooks
>>Information Security Technician
>>IITS
>>116 - B Coyner
>>Longwood University
>>201 High Street
>>Farmville, VA 23901
>>(434) 395-2796
>>
>>_______________________________________________
>>list mailing list
>>list at dshield.org
>>To change your subscription options (or unsubscribe), see: 
>>http://www.dshield.org/mailman/listinfo/list
>
>_________________________________________________________________
>Share your photos without swamping your Inbox.  Get Hotmail Extra Storage 
>today! http://join.msn.com/?PAGE=features/es
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list

Jason Brooks
Information Security Technician
IITS
116 - B Coyner
Longwood University
201 High Street
Farmville, VA 23901
(434) 395-2796




More information about the list mailing list