[Dshield] Port 139 scans

Guy Barnum GuyBarnum at Armscole.com
Mon Feb 16 16:16:05 GMT 2004


I have a server machine originally scanning port 38293 with UPD packets
for all open systems sequentially and when I killed the process it
restarted about 24 hours later scanning port 135 using TCP packets for
all IP's incrementing sequentially.

The hijacked process appears to be pds.exe which Norton uses for a ping
discovery service on port 38293 of other NAV servers and clients.  Our
rogue process is sending out over 20 million packets a day to every
sequential IP address if I leave it connected where the NAV process
normally sends out a few pings every few minutes to every hour or so if
it doesn't get a response.

I found our server group deleted from the Symantec System Console and
almost 30 other machines from around the net installed in its place.  I
uninstalled the SSC and restarted the server which kept things quiet for
around 24 hours until the PDS files were reloaded or restarted, I've
renamed and moved them this time to make sure whether they are getting
reinstalled or if Windows simply missed some files when add/remove
programs removed SSC.  I've emailed Symantec to see if I can get them
looking in to the PDS abuse for this scan.

Now that I've found and killed this once it looks like they aren't
bothering to fake a NAV service any more having changed ports and
protocols for the scan.

The most disturbing part is this is occurring behind a CISCO firewall,
admittedly I'm not a security expert (yet!) but I haven't opened all
incoming ports so I'm not sure how they pulling this off OR this could
be a crazy corruption of the PDS service and Symantec System Console
configuration (I really find that hard to believe though).

I would really like feedback on this from anyone who has seen anything
like it or even suggestions on who to turn this over to for
investigation.  I've never submitted suspected virus/exploit activity
before so I'm not sure who all I should send the information to.

List moderators, any advice?

Guy


-----Original Message-----
From: Jon R. Kibler [mailto:Jon.Kibler at aset.com]
Sent: Sunday, February 15, 2004 2:30 PM
To: list at dshield.org
Subject: [Dshield] Port 139 scans


Has anyone else noticed scans on 139/tcp for multiple sequential IPs? We
just had our second scan of this type in recent days. Sorry, no packets
are available... just firewall logs showing dropped packets.

> Feb 13 18:46:41 border8215 list 110 denied tcp 61.219.255.50(63803) ->
a.b.59.64(139), 1 packet
> Feb 13 18:46:42 border8215 list 110 denied tcp 61.219.255.50(64785) ->
a.b.59.83(139), 1 packet
> Feb 13 18:46:44 border8215 list 110 denied tcp 61.219.255.50(63803) ->
a.b.59.64(139), 1 packet
> Feb 13 18:46:44 border8215 list 110 denied tcp 61.219.255.50(65227) ->
a.b.59.82(139), 1 packet
> Feb 13 18:46:51 border8215 list 110 denied tcp 61.219.255.50(63803) ->
a.b.59.64(139), 1 packet
> Feb 13 18:46:52 border8215 list 110 denied tcp 61.219.255.50(65321) ->
a.b.59.75(139), 1 packet
> Feb 13 18:46:53 border8215 list 110 denied tcp 61.219.255.50(63641) ->
a.b.59.94(139), 1 packet
> Feb 13 19:03:47 border8215 list 110 denied tcp 61.219.255.50(63789) ->
a.b.59.64(139), 1 packet
> Feb 13 19:03:48 border8215 list 110 denied tcp 61.219.255.50(65367) ->
a.b.59.84(139), 1 packet
> Feb 13 19:03:50 border8215 list 110 denied tcp 61.219.255.50(63789) ->
a.b.59.64(139), 1 packet
> Feb 13 19:03:51 border8215 list 110 denied tcp 61.219.255.50(64519) ->
a.b.59.83(139), 1 packet
> Feb 13 19:03:57 border8215 list 110 denied tcp 61.219.255.50(63789) ->
a.b.59.64(139), 1 packet
> Feb 13 19:03:58 border8215 list 110 denied tcp 61.219.255.50(64501) ->
a.b.59.80(139), 1 packet
> Feb 15 13:15:59 border8215 list 110 denied tcp 210.220.29.226(4825) ->
a.b.58.50(139), 1 packet
> Feb 15 13:26:44 border8215 list 110 denied tcp 210.220.29.226(1266) ->
a.b.59.64(139), 1 packet
> Feb 15 13:26:47 border8215 list 110 denied tcp 210.220.29.226(1268) ->
a.b.59.65(139), 1 packet
> Feb 15 13:26:50 border8215 list 110 denied tcp 210.220.29.226(1272) ->
a.b.59.68(139), 1 packet
> Feb 15 13:26:59 border8215 list 110 denied tcp 210.220.29.226(1276) ->
a.b.59.70(139), 1 packet
> Feb 15 13:27:03 border8215 list 110 denied tcp 210.220.29.226(1278) ->
a.b.59.71(139), 1 packet
> Feb 15 13:27:06 border8215 list 110 denied tcp 210.220.29.226(1282) ->
a.b.59.73(139), 1 packet
> Feb 15 13:27:10 border8215 list 110 denied tcp 210.220.29.226(1284) ->
a.b.59.74(139), 1 packet
> Feb 15 13:27:12 border8215 list 110 denied tcp 210.220.29.226(1285) ->
a.b.59.75(139), 1 packet
> Feb 15 13:27:18 border8215 list 110 denied tcp 210.220.29.226(1288) ->
a.b.59.76(139), 1 packet
> Feb 15 13:27:24 border8215 list 110 denied tcp 210.220.29.226(1289) ->
a.b.59.77(139), 1 packet
> Feb 15 13:27:30 border8215 list 110 denied tcp 210.220.29.226(1266) ->
a.b.59.64(139), 3 packets
> Feb 15 13:27:32 border8215 list 110 denied tcp 210.220.29.226(1268) ->
a.b.59.65(139), 3 packets
> Feb 15 13:27:36 border8215 list 110 denied tcp 210.220.29.226(1272) ->
a.b.59.68(139), 3 packets
> Feb 15 13:27:45 border8215 list 110 denied tcp 210.220.29.226(1276) ->
a.b.59.70(139), 3 packets
> Feb 15 13:27:49 border8215 list 110 denied tcp 210.220.29.226(1278) ->
a.b.59.71(139), 3 packets
> Feb 15 13:27:52 border8215 list 110 denied tcp 210.220.29.226(1282) ->
a.b.59.73(139), 3 packets
> Feb 15 13:27:56 border8215 list 110 denied tcp 210.220.29.226(1284) ->
a.b.59.74(139), 3 packets
> Feb 15 13:27:58 border8215 list 110 denied tcp 210.220.29.226(1285) ->
a.b.59.75(139), 3 packets
> Feb 15 13:28:03 border8215 list 110 denied tcp 210.220.29.226(1288) ->
a.b.59.76(139), 3 packets
> Feb 15 13:28:04 border8215 list 110 denied tcp 210.220.29.226(1290) ->
a.b.59.78(139), 3 packets
> Feb 15 13:28:10 border8215 list 110 denied tcp 210.220.29.226(1291) ->
a.b.59.79(139), 3 packets
> Feb 15 13:28:14 border8215 list 110 denied tcp 210.220.29.226(1294) ->
a.b.59.80(139), 3 packets
> Feb 15 13:29:08 border8215 list 110 denied tcp 210.220.29.226(1297) ->
a.b.59.82(139), 3 packets
> Feb 15 13:29:24 border8215 list 110 denied tcp 210.220.29.226(1298) ->
a.b.59.83(139), 3 packets
> Feb 15 13:30:07 border8215 list 110 denied tcp 210.220.29.226(1299) ->
a.b.59.84(139), 3 packets
> Feb 15 13:30:08 border8215 list 110 denied tcp 210.220.29.226(1301) ->
a.b.59.85(139), 3 packets
> Feb 15 13:30:35 border8215 list 110 denied tcp 210.220.29.226(1304) ->
a.b.59.86(139), 3 packets

Note: We do not have port 139 open on any IP, so I have no idea why
certain IPs (e.g., a.b.59.69, a.b.59.81, etc.) would be skipped and why
the ranges of IPs shown are all that were scanned in our netblock.

Is this possibly a new worm or ASN exploit?

Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.




More information about the list mailing list