[Dshield] Blaster, or AOL strangeness...

Jason Brooks jbrooks at longwood.edu
Wed Oct 8 16:00:20 GMT 2003


We've never been able to have a live capture of these activities.  However, 
I think that scanning a host for an open 4444 won't necessarily work - 
that's the destination, not source, port.  We have talked about sniffing 
the line for some of these particular machine, but haven't yet.  If we do, 
we could have an idea of what the source port is, then use netstat and 
fport from there, along with nmap -sV to see if it is a know service.
Jason


At 09:33 AM 10/8/2003 -0500, you wrote:
>Good answer, and makes sense, I am leaning more towards "adware"?  I think 
>isolating a machine on lab network and run sniffer or snort to see what is 
>going on.  Does the network in question have snort running or any IDS, 
>that may be alerting to these packets?  Also there are port scanners that 
>will scan machine remotely and tell what is running on the port 4444 
>trying to connect to inet host, can not think of any names of utils, (need 
>more coffee)  I wonder what netstat -a is showing on machines.
>
>John Beck
>
>
>>From: Jason Brooks <jbrooks at longwood.edu>
>>Reply-To: General DShield Discussion List <list at dshield.org>
>>To: General DShield Discussion List <list at dshield.org>
>>Subject: Re: [Dshield] Blaster, or AOL strangeness...
>>Date: Wed, 08 Oct 2003 08:14:32 -0400
>>
>>John,
>>         I would wonder if this is the case.  These are the ports 
>> infected machines <<listen>> on, yes?  Unless AOL has an entire class C 
>> infected, this doesn't appear to be the case, at least from what we've 
>> seen here.  My contact with an individual at AOL stated that there was 
>> no openings on port 4444 on the class C in question.
>>Jason Brooks
>>At 03:40 PM 10/7/2003 -0500, you wrote:
>>>Good answers and I checked, there are many trojans that use 4444, here 
>>>is a website that lists all ports trojans use, could help track what is 
>>>going on.
>>>http://www.simovits.com/sve/nyhetsarkiv/1999/nyheter9902.html
>>>Sans has a list but the one above has more info.
>>>http://www.sans.org/resources/idfaq/oddports.php
>>>
>>>JB
>>>
>>>
>>>>
>>>>We have been seeing this for at least one month.  I have been in 
>>>>contact with someone via another list who works for AOL.  There is 
>>>>nothing valid on port 4444 in the entire 205.188.134.xxx class C.  We 
>>>>haven't yet done any heavy packet digging, but some preliminary looking 
>>>>shows that AOL IM makes some use of 4444 on the client side.  The Sr 
>>>>Net Engineer here has also see some port scans that match the pattern 
>>>>of hits we saw on 4444.
>>>>The 4444 destination hits always occurred in patterns of 3 or 4.  They 
>>>>would occur in clumps of 3 or 4, sometimes up to 4 times at once, 
>>>>generating  a total of 12 to 16 packets per client, on average.  We 
>>>>still don't know what is triggering this.  Anyone else...?
>>>>
>>>>Glad we're not the only ones...
>>>>Jason Brooks
>>>>
>>>>
>>>>At 03:31 PM 10/7/2003 -0400, you wrote:
>>>>>Since applying filters to port 4444 (Blaster), some unusual entries 
>>>>>have shown up.  Local machines are trying to connect to 
>>>>><host>.websys.aol.com on port 4444.  What's up with this?
>>>>>
>>>>>Examples (munged to RFC1918 space):
>>>>>>Oct  7 13:38:57.372 EDT: list dorm-in denied tcp 172.18.57.70(4011) 
>>>>>>-> 205.188.134.233(4444), 1 packet
>>>>>>Oct  7 13:39:19.757 EDT: list dorm-in denied tcp 172.18.57.70(4013) 
>>>>>>-> 205.188.134.233(4444), 1 packet
>>>>>>Oct  7 13:39:54.317 EDT: list dorm-in denied tcp 172.18.57.70(4018) 
>>>>>>-> 205.188.134.233(4444), 1 packet
>>>>>>Oct  7 13:40:17.038 EDT: list dorm-in denied tcp 172.18.57.70(4021) 
>>>>>>-> 205.188.134.233(4444), 1 packet
>>>>>>Oct  7 13:42:48.849 EDT: list dorm-in denied tcp 172.18.57.70(4011) 
>>>>>>-> 205.188.134.233(4444), 2 packets
>>>>>>Oct  7 13:43:03.833 EDT: list dorm-in denied tcp 172.18.57.70(4013) 
>>>>>>-> 205.188.134.233(4444), 2 packets
>>>>>>Oct  7 13:43:06.021 EDT: list dorm-in denied tcp 172.18.57.70(4018) 
>>>>>>-> 205.188.134.233(4444), 2 packets
>>>>>>Oct  7 13:43:10.833 EDT: list dorm-in denied tcp 172.18.57.70(4021) 
>>>>>>-> 205.188.134.233(4444), 1 packet
>>>>>>Oct  7 13:43:14.113 EDT: list dorm-in denied tcp 172.18.57.70(4022) 
>>>>>>-> 205.188.134.233(4444), 1 packet
>>>>>>Oct  7 13:54:13.978 EDT: list dorm-in denied tcp 172.18.121.247(1726) 
>>>>>>-> 205.188.134.237(4444), 1 packet
>>>>>>Oct  7 13:54:34.911 EDT: list dorm-in denied tcp 172.18.121.247(1727) 
>>>>>>-> 205.188.134.237(4444), 1 packet
>>>>>>Oct  7 13:59:54.805 EDT: list dorm-in denied tcp 172.18.121.247(1726) 
>>>>>>-> 205.188.134.237(4444), 2 packets
>>>>>>Oct  7 14:15:54.324 EDT: list dorm-in denied tcp 172.18.33.71(3451) 
>>>>>>-> 205.188.134.234(4444), 1 packet
>>>>>>Oct  7 14:16:19.768 EDT: list dorm-in denied tcp 172.18.33.71(3453) 
>>>>>>-> 205.188.134.234(4444), 1 packet
>>>>>>Oct  7 14:20:54.913 EDT: list dorm-in denied tcp 172.18.33.71(3451) 
>>>>>>-> 205.188.134.234(4444), 2 packets
>>>>>>Oct  7 14:21:54.918 EDT: list dorm-in denied tcp 172.18.33.71(3453) 
>>>>>>-> 205.188.134.234(4444), 2 packets
>>>>>>Oct  7 15:10:55.944 EDT: list dorm-in denied tcp 172.18.17.116(50268) 
>>>>>>-> 205.188.134.234(4444), 1 packet
>>>>>>Oct  7 15:12:10.793 EDT: list dorm-in denied tcp 172.18.17.116(50269) 
>>>>>>-> 205.188.134.234(4444), 1 packet
>>>>>>Oct  7 15:12:26.773 EDT: list dorm-in denied tcp 172.18.17.116(50273) 
>>>>>>-> 205.188.134.234(4444), 1 packet
>>>>>>Oct  7 15:16:55.195 EDT: list dorm-in denied tcp 172.18.17.116(50268) 
>>>>>>-> 205.188.134.234(4444), 8 packets
>>>>>>Oct  7 15:17:55.199 EDT: list dorm-in denied tcp 172.18.17.116(50269) 
>>>>>>-> 205.188.134.234(4444), 4 packets
>>>>>
>>>>>>Oct  7 14:39:11.441 EDT: list stop-sql denied tcp 172.16.89.50(1134) 
>>>>>>-> 205.188.134.237(4444), 1 packet
>>>>>>Oct  7 14:39:33.046 EDT: list stop-sql denied tcp 172.16.89.50(1136) 
>>>>>>-> 205.188.134.237(4444), 1 packet
>>>>>>Oct  7 14:39:55.254 EDT: list stop-sql denied tcp 172.16.89.50(1141) 
>>>>>>-> 205.188.134.235(4444), 1 packet
>>>>>>Oct  7 14:45:12.234 EDT: list stop-sql denied tcp 172.16.89.50(1136) 
>>>>>>-> 205.188.134.237(4444), 2 packets
>>>>>
>>>>>>[jeff at netsyslog jeff]$ host 205.188.134.233
>>>>>>233.134.188.205.in-addr.arpa domain name pointer ht-s11.websys.aol.com.
>>>>>>[jeff at netsyslog jeff]$ host 205.188.134.234
>>>>>>234.134.188.205.in-addr.arpa domain name pointer ht-s12.websys.aol.com.
>>>>>>[jeff at netsyslog jeff]$ host 205.188.134.235
>>>>>>235.134.188.205.in-addr.arpa domain name pointer ht-s13.websys.aol.com.
>>>>>>[jeff at netsyslog jeff]$ host 205.188.134.237
>>>>>>237.134.188.205.in-addr.arpa domain name pointer ht-s15.websys.aol.com.
>>>>>
>>>>>Jeff
>>>>>
>>>>>
>>>>>_______________________________________________
>>>>>list mailing list
>>>>>list at dshield.org
>>>>>To change your subscription options (or unsubscribe), see: 
>>>>>http://www.dshield.org/mailman/listinfo/list
>>>>
>>>>Jason Brooks
>>>>Information Security Technician
>>>>IITS
>>>>116 - B Coyner
>>>>Longwood University
>>>>201 High Street
>>>>Farmville, VA 23901
>>>>(434) 395-2796
>>>>
>>>>_______________________________________________
>>>>list mailing list
>>>>list at dshield.org
>>>>To change your subscription options (or unsubscribe), see: 
>>>>http://www.dshield.org/mailman/listinfo/list
>>>
>>>_________________________________________________________________
>>>Share your photos without swamping your Inbox.  Get Hotmail Extra 
>>>Storage today! http://join.msn.com/?PAGE=features/es
>>>
>>>_______________________________________________
>>>list mailing list
>>>list at dshield.org
>>>To change your subscription options (or unsubscribe), see: 
>>>http://www.dshield.org/mailman/listinfo/list
>>
>>Jason Brooks
>>Information Security Technician
>>IITS
>>116 - B Coyner
>>Longwood University
>>201 High Street
>>Farmville, VA 23901
>>(434) 395-2796
>>
>>_______________________________________________
>>list mailing list
>>list at dshield.org
>>To change your subscription options (or unsubscribe), see: 
>>http://www.dshield.org/mailman/listinfo/list
>
>_________________________________________________________________
>Share your photos without swamping your Inbox.  Get Hotmail Extra Storage 
>today! http://join.msn.com/?PAGE=features/es
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list

Jason Brooks
Information Security Technician
IITS
116 - B Coyner
Longwood University
201 High Street
Farmville, VA 23901
(434) 395-2796




More information about the list mailing list