[Dshield] Possible problem?
Lou.Hablas at rzim.org
Thu Mar 10 18:02:39 GMT 2005
Very succinct and useful post, Henry.
I hope people who are new to this list or new to networked PC's read
Henry's response all the way through...in a few words, you may learn
some things that will help you avoid becoming part of the problem...
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Henry Hertz Hobbit
Sent: Wednesday, March 09, 2005 6:03 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Possible problem?
On Mon, 2005-03-07 at 13:18, Paul Marsh wrote:
> I did a nmap scan on one of my users home systems. Its a typical
> broadband connection default TCP scan revealed port 21, 25 and 80
> In the past I've found that these ports belong to the broadband modem.
> I then did a -sU default UDP and found the following:
> PORT STATE SERVICE
> 135/udp filtered msrpc
> 136/udp filtered profile
> 138/udp filtered netbios-dgm
> 1434/udp filtered ms-sql-m
> 135-138 typical MS stuff no?
> 1434 I know the user is not running SQL monitor. Is it likely the
> system has SQL slammer/Sapphire running on it?
> The system is XP home SP2
> Thanx, Paul
The filtered ports are GOOD!
You said a "typical broadband connection" so I am assuming a NIC that is
directly connected, or a broadband modem slapped into the PC. ALL
MACHINES CONNECTED VIA BROADBAND TO THE INTERNET NEED AN INTERVENING
BROADBAND ROUTER / SWITCH / NAT FIREWALL! It amazes me that people use
every excuse in the book to avoid getting one. GET IT! They are less
than $100. I like DShield, but I am biased (I have one).
First, key in the WAN IP (not the LAN IP) at DShield and see if it shows
If it doesn't, you are probably okay but don't use that as the only
test. Read on...
Do ALL of the following (from another machine connected via the same
broadband ISP provider if possible - some broadband ISPs NAT, which
means you are not directly attached to the Internet If you NAT as well,
then you may be double NAT'd):
 ftp to the WAN IP - if it responds, not good.
 telnet WAN IP 25 - if it responds, not good
 Key the WAN IP into a browser. If it comes up with a page and it
isn't yours, that is definitely not good
You need to be aware that a lot of Microsoft's products use embedded SQL
without you knowing it. It would be helpful if Microsoft listed every
one of their products that do use SQL. There are probably several
people on this mailing list that probably know all of the Microsoft
products that use SQL. I am NOT one of them. In other words, you may
have SQL without even realizing it because Microsoft uses it in a LOT of
their products. I think you would KNOW whether or not you have SQL /
Slammer because if you had it, your WAN address would show up at
DShield. Slammer uses UDP and spews packets like mad. Does your WAN
port show up at DShield? Slammer does NOT create traffic on port
1433/1434 (server/monitor) on its own. It needs an unpatched SQL server
to exploit before it starts spewing packets, and it SPEWS THOUSANDS OF
UDP PACKETS! IT almost brought the Internet down!
Any server that is directly attached to the Internet should be SANS 20
certified. Here is the URL on it:
Ten are for Windows, and the other ten are for Nixes. Despite the fact
they should be strictly observed for machines directly attached to the
Internet, I have noticed that many people that can go YEARS without
problems without doing any of them. It is unfair - only a few are
whacked, and the rest have nothing bad happen to them.
Key Name: "Henry Hertz Hobbit" <hhhobbit at comcast.net>
pub 1024D/1CC23BC0 2005-03-08 [expires: 2006-03-08]
Key fingerprint = 9CD0 839E 79C9 5E20 B97A 15A6 9AB7 484D 1CC2 3BC0
-------------- Sponsor Message ------------------------------------
SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
send all posts to list at lists.dshield.org To change your subscription
options (or unsubscribe), see:
More information about the list