[unisog] worm that looks for 139, 1433 and 2967

power less absolutelynopower at gmail.com
Sun Feb 18 22:41:37 GMT 2007


Wow good info. I'm mulling it all over. Thanks so much for all the
responses!

BTW I have no control nor influence  over any campus firewalls so cannot see
who the bots are connecting to or something like that as things stand now.
Which would be very interesting and useful information. (Probably the
important people here do this kind of analysis and report it to FIRST or
something like that.) The only way I could get that info would be to put up
my own honeypot with my own firewall in front of it, catch some bots, and
view what they did. Sounds like a good idea.

I noticed that there is a nessus plugin to scan for the sym06-010
vulnerability.
"Vulnerability in Symantec AntiVirus could allow remote code execution
(SYM06-010)"
#24236 I presume it works?

But what should we be scanning for for 1433?

Here's one possibly utterly irrelevant aspect of the "incident" that the
first known-to-me
victim was a host that had been scanning for UDP 38293. This behavior is
typically ignored as a misconfigured legacy savce client.
......
It was a very quiet friday for the firewall....(that computer(s) that does
some kind
of peer to peer stuff seemed not to be around :-)

There was just that campus host that perennially tries to connect to udp
port 38293 on one single host on our network. There was another IP that was
already scanning for 2967 and had done so on and off in the past (possibly
someone's gateway?)  but it had a thing for networks that had the same
starting octet in the IP address as its host (c2) so it may not have ever
attacked c1.141 whose first octet was different. Also c2.90 appears to have
stopped scanning at 7:30 am. But then ... c1.141 got the bug or (new
instructions?) sometime before  9:44 pm...

Then it was off and running. After 20 minutes the firewall blocked another
victim and it went
from there.

I don't know if the udp 38293 detail had anything to do with it but this a
classic, the friday
night special. The network admins go home and the bots wake up :-) (And then
saturday that c1.141 host was still looking for 1433, 2967 and UDP 38293. so
pathetic!)

yyyy:mm:dd:hh24:mi:ss hit proto srcip srcport destip destport hits
2007:02:16:02:26:35 hit udp c1.141 1074 local1.235 38293 1
2007:02:16:02:26:35 hit udp c1.141 1074 local1.235 38293 1
2007:02:16:02:26:35 hit udp c1.141 1074 local1.235 38293 1
2007:02:16:02:26:35 hit udp c1.141 1074 local1.235 38293 1
2007:02:16:06:13:37 hit tcp c2.90 20819 local2.211 2967 1
2007:02:16:06:13:40 hit tcp c2.90 20819 local2.211 2967 1
2007:02:16:06:15:47 hit tcp c2.90 24931 local2.211 2967 1
2007:02:16:06:15:50 hit tcp c2.90 24931 local2.211 2967 1
2007:02:16:06:31:23 hit tcp c2.90 56378 local2.211 2967 1
2007:02:16:06:31:26 hit tcp c2.90 56378 local2.211 2967 1
2007:02:16:06:31:58 hit tcp c2.90 52734 local2.167 2967 1
2007:02:16:06:32:01 hit tcp c2.90 52734 local2.167 2967 1
2007:02:16:06:33:58 hit tcp c2.90 57574 local2.245 2967 1
2007:02:16:06:34:01 hit tcp c2.90 57574 local2.245 2967 1
2007:02:16:06:35:08 hit tcp c2.90 55255 local2.211 2967 1
2007:02:16:06:35:11 hit tcp c2.90 55255 local2.211 2967 1
2007:02:16:06:35:19 hit tcp c2.90 63008 local2.216 2967 1
2007:02:16:06:35:22 hit tcp c2.90 63008 local2.216 2967 1
2007:02:16:06:36:07 hit tcp c2.90 64796 local2.193 2967 1
2007:02:16:06:37:11 hit tcp c2.90 2070 local2.216 2967 1
2007:02:16:06:42:43 hit tcp c2.90 3838 local2.203 2967 1
2007:02:16:06:42:46 hit tcp c2.90 3838 local2.203 2967 1
2007:02:16:06:44:15 hit tcp c2.90 7883 local2.172 2967 1
2007:02:16:06:44:16 hit tcp c2.90 7925 local2.231 2967 1
2007:02:16:06:44:18 hit tcp c2.90 7883 local2.172 2967 1
2007:02:16:06:44:19 hit tcp c2.90 7925 local2.231 2967 1
2007:02:16:06:44:34 hit tcp c2.90 10306 local2.167 2967 1
2007:02:16:06:44:37 hit tcp c2.90 10306 local2.167 2967 1
2007:02:16:06:44:57 hit tcp c2.90 5597 local2.132 2967 1
2007:02:16:06:48:41 hit tcp c2.90 14060 local2.203 2967 1
2007:02:16:06:48:44 hit tcp c2.90 14060 local2.203 2967 1
2007:02:16:06:49:17 hit tcp c2.90 12809 local2.134 2967 1
2007:02:16:07:12:26 hit tcp c2.90 6578 local2.215 2967 1
2007:02:16:07:12:29 hit tcp c2.90 6578 local2.215 2967 1
2007:02:16:07:19:49 hit tcp c2.90 5284 local2.194 2967 1
2007:02:16:07:20:47 hit tcp c2.90 4408 local2.215 2967 1
2007:02:16:07:20:50 hit tcp c2.90 4408 local2.215 2967 1
2007:02:16:07:24:35 hit tcp c2.90 6440 local2.134 2967 1
2007:02:16:07:24:38 hit tcp c2.90 6440 local2.134 2967 1
2007:02:16:07:27:32 hit tcp c2.90 4880 local2.172 2967 1
2007:02:16:07:30:43 hit tcp c2.90 15440 local2.132 2967 1
2007:02:16:07:30:46 hit tcp c2.90 15440 local2.132 2967 1
2007:02:16:10:26:34 hit udp c1.141 1074 local1.235 38293 1
2007:02:16:10:26:34 hit udp c1.141 1074 local1.235 38293 1
2007:02:16:10:26:34 hit udp c1.141 1074 local1.235 38293 1
2007:02:16:10:26:34 hit udp c1.141 1074 local1.235 38293 1
2007:02:16:11:51:49 hit udp c1.141 1075 local1.235 38293 1
2007:02:16:11:51:49 hit udp c1.141 1075 local1.235 38293 1
2007:02:16:11:51:49 hit udp c1.141 1075 local1.235 38293 1
2007:02:16:11:51:49 hit udp c1.141 1075 local1.235 38293 1
2007:02:16:15:50:25 hit udp c1.141 1050 local1.235 38293 1
2007:02:16:15:50:25 hit udp c1.141 1050 local1.235 38293 1
2007:02:16:15:50:25 hit udp c1.141 1050 local1.235 38293 1
2007:02:16:15:50:25 hit udp c1.141 1050 local1.235 38293 1
2007:02:16:16:42:49 hit udp c1.141 1051 local1.235 38293 1
2007:02:16:16:42:49 hit udp c1.141 1051 local1.235 38293 1
2007:02:16:16:42:49 hit udp c1.141 1051 local1.235 38293 1
2007:02:16:16:42:49 hit udp c1.141 1051 local1.235 38293 1
2007:02:16:17:24:45 hit udp c1.141 1049 local1.235 38293 1
2007:02:16:17:24:45 hit udp c1.141 1049 local1.235 38293 1
2007:02:16:17:24:45 hit udp c1.141 1049 local1.235 38293 1
2007:02:16:17:24:45 hit udp c1.141 1049 local1.235 38293 1

#oh oh
2007:02:16:21:44:07 hit tcp c1.141 1421 local1.159 1433 1
2007:02:16:21:44:34 hit tcp c1.141 2267 local1.250 2967 1
2007:02:16:21:44:37 hit tcp c1.141 2267 local1.250 2967 1
2007:02:16:21:45:13 hit tcp c1.141 3414 local1.246 1433 1
2007:02:16:21:46:21 hit tcp c1.141 1567 local1.243 1433 1
2007:02:16:21:46:24 hit tcp c1.141 1567 local1.243 1433 1
2007:02:16:21:48:08 hit tcp c1.141 4722 local1.194 2967 1
2007:02:16:21:48:11 hit tcp c1.141 4722 local1.194 2967 1
2007:02:16:21:49:35 hit tcp c1.141 3448 local1.59 1433 1
2007:02:16:21:49:38 hit tcp c1.141 3448 local1.59 1433 1
2007:02:16:21:49:40 hit tcp c1.141 3548 local1.175 2967 1
2007:02:16:21:49:43 hit tcp c1.141 3548 local1.175 2967 1
2007:02:16:21:50:01 hit tcp c1.141 4155 local1.47 2967 1
2007:02:16:21:50:01 hit tcp c1.141 4218 local1.196 1433 1
2007:02:16:21:50:04 hit tcp c1.141 4155 local1.47 2967 1
2007:02:16:21:50:04 hit tcp c1.141 4218 local1.196 1433 1
2007:02:16:21:50:52 hit tcp c1.141 1803 local1.176 1433 1
2007:02:16:21:50:55 hit tcp c1.141 1803 local1.176 1433 1
2007:02:16:21:51:02 hit tcp c1.141 2067 local1.175 2967 1
2007:02:16:21:51:05 hit tcp c1.141 2067 local1.175 2967 1
2007:02:16:21:53:17 hit tcp c1.141 2115 local1.9 2967 1
2007:02:16:21:53:35 hit tcp c1.141 2804 local1.180 1433 1
2007:02:16:21:53:38 hit tcp c1.141 2804 local1.180 1433 1
2007:02:16:21:53:58 hit tcp c1.141 3315 local1.80 139 1
2007:02:16:21:56:28 hit tcp c1.141 4084 local1.70 1433 1
2007:02:16:21:56:31 hit tcp c1.141 4084 local1.70 1433 1
2007:02:16:21:57:40 hit tcp c1.141 2224 local1.70 139 1
2007:02:16:21:57:43 hit tcp c1.141 2224 local1.70 139 1
2007:02:16:21:57:55 hit tcp c1.141 2763 local1.200 1433 1
2007:02:16:21:57:58 hit tcp c1.141 2763 local1.200 1433 1
2007:02:16:21:59:42 hit tcp c1.141 1979 local1.217 2967 1
2007:02:16:21:59:45 hit tcp c1.141 1979 local1.217 2967 1
2007:02:16:22:00:53 hit tcp c1.141 4245 local1.51 139 1
2007:02:16:22:00:54 hit tcp c1.141 4261 local1.196 2967 1
2007:02:16:22:00:56 hit tcp c1.141 4245 local1.51 139 1
2007:02:16:22:00:57 hit tcp c1.141 4261 local1.196 2967 1
2007:02:16:22:03:42 hit tcp c1.141 1694 local1.133 1433 1
2007:02:16:22:03:45 hit tcp c1.141 1694 local1.133 1433 1
2007:02:16:22:03:52 hit tcp c1.141 2002 local1.165 1433 1
2007:02:16:22:03:55 hit tcp c1.141 2002 local1.165 1433 1
2007:02:16:22:05:44 hit tcp c1.141 1755 local1.45 2967 1
2007:02:16:22:05:47 hit tcp c1.141 1755 local1.45 2967 1
2007:02:16:22:06:10 hit tcp c1.141 2556 local1.217 2967 1
2007:02:16:22:06:13 hit tcp c1.141 2556 local1.217 2967 1
#victim 2 is recruited
2007:02:16:22:06:58 hit tcp c1.203  3857 local1.235 2967 1
#and off it goes to infect at least 40+ campus hosts as of midnight sat
night.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070218/95e20147/attachment.htm 


More information about the unisog mailing list