[Dshield] Blaster, or AOL strangeness...

john beck jbeck80 at hotmail.com
Wed Oct 8 14:33:28 GMT 2003


Good answer, and makes sense, I am leaning more towards "adware"?  I think 
isolating a machine on lab network and run sniffer or snort to see what is 
going on.  Does the network in question have snort running or any IDS, that 
may be alerting to these packets?  Also there are port scanners that will 
scan machine remotely and tell what is running on the port 4444 trying to 
connect to inet host, can not think of any names of utils, (need more 
coffee)  I wonder what netstat -a is showing on machines.

John Beck


>From: Jason Brooks <jbrooks at longwood.edu>
>Reply-To: General DShield Discussion List <list at dshield.org>
>To: General DShield Discussion List <list at dshield.org>
>Subject: Re: [Dshield] Blaster, or AOL strangeness...
>Date: Wed, 08 Oct 2003 08:14:32 -0400
>
>John,
>         I would wonder if this is the case.  These are the ports infected 
>machines <<listen>> on, yes?  Unless AOL has an entire class C infected, 
>this doesn't appear to be the case, at least from what we've seen here.  My 
>contact with an individual at AOL stated that there was no openings on port 
>4444 on the class C in question.
>Jason Brooks
>At 03:40 PM 10/7/2003 -0500, you wrote:
>>Good answers and I checked, there are many trojans that use 4444, here is 
>>a website that lists all ports trojans use, could help track what is going 
>>on.
>>http://www.simovits.com/sve/nyhetsarkiv/1999/nyheter9902.html
>>Sans has a list but the one above has more info.
>>http://www.sans.org/resources/idfaq/oddports.php
>>
>>JB
>>
>>
>>>
>>>We have been seeing this for at least one month.  I have been in contact 
>>>with someone via another list who works for AOL.  There is nothing valid 
>>>on port 4444 in the entire 205.188.134.xxx class C.  We haven't yet done 
>>>any heavy packet digging, but some preliminary looking shows that AOL IM 
>>>makes some use of 4444 on the client side.  The Sr Net Engineer here has 
>>>also see some port scans that match the pattern of hits we saw on 4444.  
>>>The 4444 destination hits always occurred in patterns of 3 or 4.  They 
>>>would occur in clumps of 3 or 4, sometimes up to 4 times at once, 
>>>generating  a total of 12 to 16 packets per client, on average.  We still 
>>>don't know what is triggering this.  Anyone else...?
>>>
>>>Glad we're not the only ones...
>>>Jason Brooks
>>>
>>>
>>>At 03:31 PM 10/7/2003 -0400, you wrote:
>>>>Since applying filters to port 4444 (Blaster), some unusual entries have 
>>>>shown up.  Local machines are trying to connect to <host>.websys.aol.com 
>>>>on port 4444.  What's up with this?
>>>>
>>>>Examples (munged to RFC1918 space):
>>>>>Oct  7 13:38:57.372 EDT: list dorm-in denied tcp 172.18.57.70(4011) -> 
>>>>>205.188.134.233(4444), 1 packet
>>>>>Oct  7 13:39:19.757 EDT: list dorm-in denied tcp 172.18.57.70(4013) -> 
>>>>>205.188.134.233(4444), 1 packet
>>>>>Oct  7 13:39:54.317 EDT: list dorm-in denied tcp 172.18.57.70(4018) -> 
>>>>>205.188.134.233(4444), 1 packet
>>>>>Oct  7 13:40:17.038 EDT: list dorm-in denied tcp 172.18.57.70(4021) -> 
>>>>>205.188.134.233(4444), 1 packet
>>>>>Oct  7 13:42:48.849 EDT: list dorm-in denied tcp 172.18.57.70(4011) -> 
>>>>>205.188.134.233(4444), 2 packets
>>>>>Oct  7 13:43:03.833 EDT: list dorm-in denied tcp 172.18.57.70(4013) -> 
>>>>>205.188.134.233(4444), 2 packets
>>>>>Oct  7 13:43:06.021 EDT: list dorm-in denied tcp 172.18.57.70(4018) -> 
>>>>>205.188.134.233(4444), 2 packets
>>>>>Oct  7 13:43:10.833 EDT: list dorm-in denied tcp 172.18.57.70(4021) -> 
>>>>>205.188.134.233(4444), 1 packet
>>>>>Oct  7 13:43:14.113 EDT: list dorm-in denied tcp 172.18.57.70(4022) -> 
>>>>>205.188.134.233(4444), 1 packet
>>>>>Oct  7 13:54:13.978 EDT: list dorm-in denied tcp 172.18.121.247(1726) 
>>>>>-> 205.188.134.237(4444), 1 packet
>>>>>Oct  7 13:54:34.911 EDT: list dorm-in denied tcp 172.18.121.247(1727) 
>>>>>-> 205.188.134.237(4444), 1 packet
>>>>>Oct  7 13:59:54.805 EDT: list dorm-in denied tcp 172.18.121.247(1726) 
>>>>>-> 205.188.134.237(4444), 2 packets
>>>>>Oct  7 14:15:54.324 EDT: list dorm-in denied tcp 172.18.33.71(3451) -> 
>>>>>205.188.134.234(4444), 1 packet
>>>>>Oct  7 14:16:19.768 EDT: list dorm-in denied tcp 172.18.33.71(3453) -> 
>>>>>205.188.134.234(4444), 1 packet
>>>>>Oct  7 14:20:54.913 EDT: list dorm-in denied tcp 172.18.33.71(3451) -> 
>>>>>205.188.134.234(4444), 2 packets
>>>>>Oct  7 14:21:54.918 EDT: list dorm-in denied tcp 172.18.33.71(3453) -> 
>>>>>205.188.134.234(4444), 2 packets
>>>>>Oct  7 15:10:55.944 EDT: list dorm-in denied tcp 172.18.17.116(50268) 
>>>>>-> 205.188.134.234(4444), 1 packet
>>>>>Oct  7 15:12:10.793 EDT: list dorm-in denied tcp 172.18.17.116(50269) 
>>>>>-> 205.188.134.234(4444), 1 packet
>>>>>Oct  7 15:12:26.773 EDT: list dorm-in denied tcp 172.18.17.116(50273) 
>>>>>-> 205.188.134.234(4444), 1 packet
>>>>>Oct  7 15:16:55.195 EDT: list dorm-in denied tcp 172.18.17.116(50268) 
>>>>>-> 205.188.134.234(4444), 8 packets
>>>>>Oct  7 15:17:55.199 EDT: list dorm-in denied tcp 172.18.17.116(50269) 
>>>>>-> 205.188.134.234(4444), 4 packets
>>>>
>>>>>Oct  7 14:39:11.441 EDT: list stop-sql denied tcp 172.16.89.50(1134) -> 
>>>>>205.188.134.237(4444), 1 packet
>>>>>Oct  7 14:39:33.046 EDT: list stop-sql denied tcp 172.16.89.50(1136) -> 
>>>>>205.188.134.237(4444), 1 packet
>>>>>Oct  7 14:39:55.254 EDT: list stop-sql denied tcp 172.16.89.50(1141) -> 
>>>>>205.188.134.235(4444), 1 packet
>>>>>Oct  7 14:45:12.234 EDT: list stop-sql denied tcp 172.16.89.50(1136) -> 
>>>>>205.188.134.237(4444), 2 packets
>>>>
>>>>>[jeff at netsyslog jeff]$ host 205.188.134.233
>>>>>233.134.188.205.in-addr.arpa domain name pointer ht-s11.websys.aol.com.
>>>>>[jeff at netsyslog jeff]$ host 205.188.134.234
>>>>>234.134.188.205.in-addr.arpa domain name pointer ht-s12.websys.aol.com.
>>>>>[jeff at netsyslog jeff]$ host 205.188.134.235
>>>>>235.134.188.205.in-addr.arpa domain name pointer ht-s13.websys.aol.com.
>>>>>[jeff at netsyslog jeff]$ host 205.188.134.237
>>>>>237.134.188.205.in-addr.arpa domain name pointer ht-s15.websys.aol.com.
>>>>
>>>>Jeff
>>>>
>>>>
>>>>_______________________________________________
>>>>list mailing list
>>>>list at dshield.org
>>>>To change your subscription options (or unsubscribe), see: 
>>>>http://www.dshield.org/mailman/listinfo/list
>>>
>>>Jason Brooks
>>>Information Security Technician
>>>IITS
>>>116 - B Coyner
>>>Longwood University
>>>201 High Street
>>>Farmville, VA 23901
>>>(434) 395-2796
>>>
>>>_______________________________________________
>>>list mailing list
>>>list at dshield.org
>>>To change your subscription options (or unsubscribe), see: 
>>>http://www.dshield.org/mailman/listinfo/list
>>
>>_________________________________________________________________
>>Share your photos without swamping your Inbox.  Get Hotmail Extra Storage 
>>today! http://join.msn.com/?PAGE=features/es
>>
>>_______________________________________________
>>list mailing list
>>list at dshield.org
>>To change your subscription options (or unsubscribe), see: 
>>http://www.dshield.org/mailman/listinfo/list
>
>Jason Brooks
>Information Security Technician
>IITS
>116 - B Coyner
>Longwood University
>201 High Street
>Farmville, VA 23901
>(434) 395-2796
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list

_________________________________________________________________
Share your photos without swamping your Inbox.  Get Hotmail Extra Storage 
today! http://join.msn.com/?PAGE=features/es




More information about the list mailing list