[Dshield] XBOX virus?

Andy Streule andy.streule at lythamhigh.lancs.sch.uk
Tue Jun 15 08:48:37 GMT 2004

U can do it without linux.
avalaunch[http://www.teamavalaunch.com/] has an irc client. 

for instance: 


-----Original Message-----
From: KIAH [mailto:kiah at inmfys.com]
Sent: 14 June 2004 16:14
To: General DShield Discussion List
Subject: Re: [Dshield] XBOX virus?

Willing to bet the employee has put linux on his xbox.  Then once the
employee was connect they tried to connect to an irc server to check the


----- Original Message ----- 
From: <TRushing at hollandco.com>
To: <list at lists.dshield.org>
Sent: Monday, June 14, 2004 06:01
Subject: [Dshield] XBOX virus?

> Had an odd series of events in our firewall today.  It was a machine that
> had grabbed a dhcp address and was trying to contact irc channels.  Looked
> like a classic virus infected machine calling home.  It was only online
> for 12 minutes and just after I did an nmap, it dropped off.  I don't
> necessarily think those two were related.  Instead, I think it was someone
> who had dialed in to our corporate network.
> What struck me as odd is that I think it may have been an X-BOX.  I don't
> play games and have never played with one of these boxes.  However, when I
> did an nbtstat here is what I got:
> $ nbtstat -A
> Local Area Connection:
> Node IpAddress: [] Scope Id: []
>            NetBIOS Remote Machine Name Table
>        Name               Type         Status
>     ---------------------------------------------
>     HOSTXXXXX      <00>  UNIQUE      Registered
>     HOSTXXXXX      <20>  UNIQUE      Registered
>     XBOXHOME       <00>  GROUP       Registered
>     XBOXHOME       <1E>  GROUP       Registered
>     MAC Address = 44-45-53-54-42-00
> Note:  HOSTXXXXX above was actually something besides HOSTXXXXX.  The
> letters in the place of XXXXX formed an English word but could also be the
> first initial + first 4 letters of the last name of an employee we have,
> so I obfuscated them.
> 44-45-53 is an MS hardware MAC address, based on what I could find online.
> Here is the result of my initial nmap run:
> [root at hol-webInt root]# nmap -PT80 -vv -sT -sU -O
> Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> Host hostspark.hollandco.com ( appears to be up ... good.
> Initiating Connect() Scan against hostspark.hollandco.com (
> Adding open port 1025/tcp
> Adding open port 5000/tcp
> Adding open port 139/tcp
> Adding open port 135/tcp
> The Connect() Scan took 22 seconds to scan 1601 ports.
> Initiating UDP Scan against hostspark.hollandco.com (
> The UDP Scan took 72 seconds to scan 1468 ports.
> Adding open port 123/udp
> Adding open port 1900/udp
> Adding open port 1646/udp
> Adding open port 1812/udp
> Adding open port 137/udp
> Adding open port 1645/udp
> Adding open port 1813/udp
> Adding open port 138/udp
> Adding open port 500/udp
> For OSScan assuming that port 135 is open and port 1 is closed and neither
> are firewalled
> Interesting ports on hostspark.hollandco.com (
> (The 3056 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 123/udp    open        ntp
> 135/tcp    open        loc-srv
> 137/udp    open        netbios-ns
> 138/udp    open        netbios-dgm
> 139/tcp    open        netbios-ssn
> 500/udp    open        isakmp
> 1025/tcp   open        NFS-or-IIS
> 1645/udp   open        radius
> 1646/udp   open        radacct
> 1812/udp   open        radius
> 1813/udp   open        radacct
> 1900/udp   open        UPnP
> 5000/tcp   open        UPnP
> Remote operating system guess: MS Windows2000 Professional RC1/W2K Advance
> Server Beta3
> OS Fingerprint:
> TSeq(Class=RI%gcd=1%SI=49664%TS=0)
> T1(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
> T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
> T3(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
> T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
> T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
> T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
> T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
> TCP Sequence Prediction: Class=random positive increments
>                          Difficulty=300644 (Good luck!)
> TCP ISN Seq. Numbers: A17F21EF A19DA691 A1BB5E41 A1D56869 A1E70662
> A201F222
> IPID Sequence Generation: Busy server or unknown class
> Nmap run completed -- 1 IP address (1 host up) scanned in 106 seconds
> The -PT80 option was there because I had yesterday scanned something on
> the internal network that was not responding to pings.  I can't say if
> this device was ignoring pings or not because by the time I tried, it was
> offline.
> I did a google search for XBOX IRC and VIRUS, but all I found were
> mentions of irc channels to get XBOX games etc. . .
> I am assuming that XBOX machines can be infected by viruses.  I also
> wonder whether XBOX machines can have OS patches applied.  Can anyone
> point me to any pages that might discuss viruses and XBOXEN?   Also, does
> anyone know whether my HOSTXXXXX guess above as to the naming convention
> is correct?
> For what it is worth, here are the ip addresses that this machine tried to
> contact during the 12 minutes it was on our network:
> My suspicion is that this was one of our home users who dialed in to our
> network and has a home network with an XBOX on it.
>          ---Tim Rushing
>              The Holland Company
> _______________________________________________
> list mailing list
> list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:

list mailing list
list at lists.dshield.org
To change your subscription options (or unsubscribe), see:

This e-mail is confidential and privileged.  If you are not the intended
recipient do not disclose, copy or distribute information in this e-mail
or take any action in reliance on its content.

This email has been checked for known viruses. 

More information about the list mailing list