[Dshield] Possible problem?

Henry Hertz Hobbit hhhobbit at comcast.net
Wed Mar 9 11:02:56 GMT 2005


On Mon, 2005-03-07 at 13:18, Paul Marsh wrote:
> I did a nmap scan on one of my users home systems.  Its a typical
> broadband connection default TCP scan revealed port 21, 25 and 80 open.
> In the past I've found that these ports belong to the broadband modem.
> I then did a -sU default UDP and found the following:
> 
> PORT     STATE    SERVICE
> 135/udp  filtered msrpc
> 136/udp  filtered profile
> 138/udp  filtered netbios-dgm
> 1434/udp filtered ms-sql-m
> 
> 135-138 typical MS stuff no?
> 
> 1434 I know the user is not running SQL monitor.  Is it likely the
> system has SQL slammer/Sapphire running on it?
> 
> The system is XP home SP2
> 
> Thanx, Paul

The filtered ports are GOOD!

You said a "typical broadband connection" so I am assuming a NIC that is
directly connected, or a broadband modem slapped into the PC.  ALL
MACHINES CONNECTED VIA BROADBAND TO THE INTERNET NEED AN INTERVENING
BROADBAND ROUTER / SWITCH / NAT FIREWALL!  It amazes me that people use
every excuse in the book to avoid getting one.  GET IT!  They are less
than $100.  I like DShield, but I am biased (I have one).

First, key in the WAN IP (not the LAN IP) at DShield and see if it shows
up.

http://www.dshield.org/ipinfo.php

If it doesn't, you are probably okay but don't use that as the only
test.  Read on...

Do ALL of the following (from another machine connected via the same
broadband ISP provider if possible - some broadband ISPs NAT, which
means you are not directly attached to the Internet  If you NAT as well,
then you may be double NAT'd):

[1] ftp to the WAN IP - if it responds, not good.

[2] telnet WAN IP 25 - if it responds, not good

[3] Key the WAN IP into a browser.  If it comes up with a page and it
isn't yours, that is definitely not good

You need to be aware that a lot of Microsoft's products use embedded SQL
without you knowing it.  It would be helpful if Microsoft listed every
one of their products that do use SQL.  There are probably several
people on this mailing list that probably know all of the Microsoft
products that use SQL.  I am NOT one of them.  In other words, you may
have SQL without even realizing it because Microsoft uses it in a LOT of
their products.  I think you would KNOW whether or not you have SQL /
Slammer because if you had it, your WAN address would show up at
DShield.  Slammer uses UDP and spews packets like mad.  Does your WAN
port show up at DShield?  Slammer does NOT create traffic on port
1433/1434 (server/monitor) on its own.  It needs an unpatched SQL server
to exploit before it starts spewing packets, and it SPEWS THOUSANDS OF
UDP PACKETS!  IT almost brought the Internet down!

Any server that is directly attached to the Internet should be SANS 20
certified.  Here is the URL on it:

http://www.sans.org/top20/

Ten are for Windows, and the other ten are for Nixes.  Despite the fact
they should be strictly observed for machines directly attached to the
Internet, I have noticed that many people that can go YEARS without
problems without doing any of them.  It is unfair - only a few are
whacked, and the rest have nothing bad happen to them.

HHH
-- 
Key Name:  "Henry Hertz Hobbit" <hhhobbit at comcast.net>
pub   1024D/1CC23BC0 2005-03-08 [expires: 2006-03-08]
Key fingerprint = 9CD0 839E 79C9 5E20 B97A 15A6 9AB7 484D 1CC2 3BC0




More information about the list mailing list