[Dshield] Port 139 scans

Paul Marsh pmarsh at nmefdn.org
Mon Feb 16 16:33:15 GMT 2004


 Well the whole thing looks very concerning.  You stated "I found our
server group deleted from the Symantec System Console and almost 30
other machines from around the net installed in its place"  Is there any
common denominator to the 30 machines listed in SSC?

> -----Original Message-----
> From: Guy Barnum [mailto:GuyBarnum at Armscole.com] 
> Sent: Monday, February 16, 2004 11:16 AM
> To: General DShield Discussion List
> Subject: RE: [Dshield] Port 139 scans
> 
> I have a server machine originally scanning port 38293 with 
> UPD packets for all open systems sequentially and when I 
> killed the process it restarted about 24 hours later scanning 
> port 135 using TCP packets for all IP's incrementing sequentially.
> 
> The hijacked process appears to be pds.exe which Norton uses 
> for a ping discovery service on port 38293 of other NAV 
> servers and clients.  Our rogue process is sending out over 
> 20 million packets a day to every sequential IP address if I 
> leave it connected where the NAV process normally sends out a 
> few pings every few minutes to every hour or so if it doesn't 
> get a response.
> 
> I found our server group deleted from the Symantec System 
> Console and almost 30 other machines from around the net 
> installed in its place.  I uninstalled the SSC and restarted 
> the server which kept things quiet for around 24 hours until 
> the PDS files were reloaded or restarted, I've renamed and 
> moved them this time to make sure whether they are getting 
> reinstalled or if Windows simply missed some files when 
> add/remove programs removed SSC.  I've emailed Symantec to 
> see if I can get them looking in to the PDS abuse for this scan.
> 
> Now that I've found and killed this once it looks like they 
> aren't bothering to fake a NAV service any more having 
> changed ports and protocols for the scan.
> 
> The most disturbing part is this is occurring behind a CISCO 
> firewall, admittedly I'm not a security expert (yet!) but I 
> haven't opened all incoming ports so I'm not sure how they 
> pulling this off OR this could be a crazy corruption of the 
> PDS service and Symantec System Console configuration (I 
> really find that hard to believe though).
> 
> I would really like feedback on this from anyone who has seen 
> anything like it or even suggestions on who to turn this over 
> to for investigation.  I've never submitted suspected 
> virus/exploit activity before so I'm not sure who all I 
> should send the information to.
> 
> List moderators, any advice?
> 
> Guy
> 




More information about the list mailing list