[Dshield] Possible problem?

jayjwa jayjwa at atr2.ath.cx
Wed Mar 9 15:13:15 GMT 2005


On Wed, 9 Mar 2005, Henry Hertz Hobbit wrote:

-> > In the past I've found that these ports belong to the broadband modem.
-> > I then did a -sU default UDP and found the following:
-> > 
-> > PORT     STATE    SERVICE
-> > 135/udp  filtered msrpc
-> > 136/udp  filtered profile
-> > 138/udp  filtered netbios-dgm
-> > 1434/udp filtered ms-sql-m
-> > 
-> > 135-138 typical MS stuff no?
-> > 
-> > 1434 I know the user is not running SQL monitor.  Is it likely the
-> > system has SQL slammer/Sapphire running on it?

"filtered" means there was no response sent back. This could be due to a 
number of things, any which could be a firewall anywhere between your 
scanner and the target. For example, my ISP blocks 135,136,137,138,139,445 
in either direction, so, if I were to scan another system across the 
Internet and even if it *did* have these ports wide open and listening, 
they'd appear as filtered to me, and give the impression that they are 
safe from attack, even though they were not.

-> You need to be aware that a lot of Microsoft's products use embedded SQL
-> without you knowing it.

Definately. Alot of people are running SQL servers and never know it. 
This is probably the reason Slammer did so well, I'm guessing. MS loves 
those hidden-from-the-user-on-by-default servers. So do the virus writers 
and system crackers ;)

-> Any server that is directly attached to the Internet should be SANS 20
-> certified.  Here is the URL on it:
-> 
-> http://www.sans.org/top20/

Unfortunately it is unfairly biased against Sendmail...

Sendmail has been used forever and is extensively scrutinized because of 
this fact. The arcticle also doesn't mention all the extra ways in which 
Sendmail can be protected, such as smrsh. The old myth of Sendmail being 
hard to configure and complex just doesn't hold true anymore; it comes 
with extensive documentation and examples, as well as numerous examples 
of safe and sane configuration files.

and needs a little updating...

According to that URL and strict interpretation of the wording:

U7.4 How to Determine if you are Vulnerable
Check the output of the command 'openssl version'. If the version isn't
0.9.7d or 0.9.6m the system is vulnerable.

[jayjwa at atr2:~>] openssl version
OpenSSL 0.9.7e 25 Oct 2004

Alot of sites are still running d, but really e is marked lastest, 
according to the project itself.

-> I have noticed that many people that can go YEARS without
-> problems without doing any of them.  It is unfair - only a few are
-> whacked, and the rest have nothing bad happen to them.

I think it depends on if you have one of the popular vulnerabilities that 
are currently being scanned for. While I'm seeing these all day long

Radmin Attmpt: IN=ppp0 OUT= MAC= SRC=211.115.232.248 DST=64.179.12.29 
Tarpitted SSH'er: IN=ppp0 OUT= MAC= SRC=211.115.213.63 DST=64.179.12.29
Tarpitted SSH'er: IN=ppp0 OUT= MAC= SRC=211.115.213.63 DST=64.179.12.29
Radmin Attmpt: IN=ppp0 OUT= MAC= SRC=134.159.122.234 DST=64.179.12.29 
Tarpitted SSH'er: IN=ppp0 OUT= MAC= SRC=211.115.213.63 DST=64.179.12.29
Tarpitted SSH'er: IN=ppp0 OUT= MAC= SRC=211.115.213.63 DST=64.179.12.29
Tarpitted SSH'er: IN=ppp0 OUT= MAC= SRC=200.72.137.34 DST=64.179.12.29
Tarpitted SSH'er: IN=ppp0 OUT= MAC= SRC=200.72.137.34 DST=64.179.12.29
Tarpitted SSH'er: IN=ppp0 OUT= MAC= SRC=62.58.165.77 DST=64.179.12.29
Radmin Attmpt: IN=ppp0 OUT= MAC= SRC=80.168.254.24 DST=64.179.12.29 
Radmin Attmpt: IN=ppp0 OUT= MAC= SRC=80.168.254.24 DST=64.179.12.29 
Protecting MySQL: IN=ppp0 OUT= MAC= SRC=62.214.140.39 DST=64.179.12.29
Radmin Attmpt: IN=ppp0 OUT= MAC= SRC=61.192.16.184 DST=64.179.12.29 
Radmin Attmpt: IN=ppp0 OUT= MAC= SRC=61.192.16.184 DST=64.179.12.29

no one seems to care about MyDoom (sync's xproxy) tcp/3127 anymore (at 
least in my corner of the 'Net).

-- 
M$'s Windowz Genuine "Advantage": Wine/Linux 
detected!! Your system will now shutdown:
http://www.linux.org/news/2005/02/19/0004.html



More information about the list mailing list