[unisog] worm that looks for 139, 1433 and 2967

John H. Sawyer jsawyer at ufl.edu
Mon Feb 19 06:05:37 GMT 2007


38293/udp is a port on the management server for Symantec AV. Do you  
know if the IP it is hitting was ever a management server? Check the  
link below that lists all ports associated with Symantec's AV and  
enterprise managment.

http://service1.symantec.com/SUPPORT/ent-security.nsf/pfdocs/ 
2005033011582148?Open&dtype=corp

1433/tcp is Microsoft SQL Server. Nessus has several plugins  
including version info of the SQL server, certain known buffer  
overflows and blank 'sa' passwords. Run them all.

If these hosts are "managed" hosts (I'm assuming that since they are  
running the enterprise version of Symantec AV that has 2967/tcp  
open), then I'd highly recommend you have them apply an IPSec policy  
to all of those hosts so that only the management server can talk to  
that port. That way, all of the machines could be vulnerable and they  
would only ever get pwned if the management server got hit first.

-jhs
--
John H. Sawyer
IT Senior Security Engineer
University of Florida - IT Security Team
352.392.2061 - jsawyer at ufl.edu - infosec.ufl.edu


On Feb 18, 2007, at 5:41 PM, power less wrote:

> Wow good info. I'm mulling it all over. Thanks so much for all the  
> responses!
>
> BTW I have no control nor influence  over any campus firewalls so  
> cannot see who the bots are connecting to or something like that as  
> things stand now. Which would be very interesting and useful  
> information. (Probably the important people here do this kind of  
> analysis and report it to FIRST or something like that.) The only  
> way I could get that info would be to put up my own honeypot with  
> my own firewall in front of it, catch some bots, and view what they  
> did. Sounds like a good idea.
>
> I noticed that there is a nessus plugin to scan for the sym06-010  
> vulnerability.
> "Vulnerability in Symantec AntiVirus could allow remote code  
> execution (SYM06-010)"
> #24236 I presume it works?
>
> But what should we be scanning for for 1433?
>
> Here's one possibly utterly irrelevant aspect of the "incident"  
> that the first known-to-me
> victim was a host that had been scanning for UDP 38293. This  
> behavior is typically ignored as a misconfigured legacy savce client.
> ......
> It was a very quiet friday for the firewall....(that computer(s)  
> that does some kind
> of peer to peer stuff seemed not to be around :-)
>
> There was just that campus host that perennially tries to connect  
> to udp port 38293 on one single host on our network. There was  
> another IP that was already scanning for 2967 and had done so on  
> and off in the past (possibly someone's gateway?)  but it had a  
> thing for networks that had the same starting octet in the IP  
> address as its host (c2) so it may not have ever attacked c1.141  
> whose first octet was different. Also c2.90 appears to have stopped  
> scanning at 7:30 am. But then ... c1.141 got the bug or (new  
> instructions?) sometime before  9:44 pm...
>
> Then it was off and running. After 20 minutes the firewall blocked  
> another victim and it went
> from there.
>
> I don't know if the udp 38293 detail had anything to do with it but  
> this a classic, the friday
> night special. The network admins go home and the bots wake up :-)  
> (And then saturday that c1.141 host was still looking for 1433,  
> 2967 and UDP 38293. so pathetic!)
>
> yyyy:mm:dd:hh24:mi:ss hit proto srcip srcport destip destport hits
> 2007:02:16:02:26:35 hit udp c1.141 1074 local1.235 38293 1
> 2007:02:16:02:26:35 hit udp c1.141 1074 local1.235 38293 1
> 2007:02:16:02:26:35 hit udp c1.141 1074 local1.235 38293 1
> 2007:02:16:02:26:35 hit udp c1.141 1074 local1.235 38293 1
> 2007:02:16:06:13:37 hit tcp c2.90 20819 local2.211 2967 1
> 2007:02:16:06:13:40 hit tcp c2.90 20819 local2.211 2967 1
> 2007:02:16:06:15:47 hit tcp c2.90 24931 local2.211 2967 1
> 2007:02:16:06:15:50 hit tcp c2.90 24931 local2.211 2967 1
> 2007:02:16:06:31:23 hit tcp c2.90 56378 local2.211 2967 1
> 2007:02:16:06:31:26 hit tcp c2.90 56378 local2.211 2967 1
> 2007:02:16:06:31:58 hit tcp c2.90 52734 local2.167 2967 1
> 2007:02:16:06:32:01 hit tcp c2.90 52734 local2.167 2967 1
> 2007:02:16:06:33:58 hit tcp c2.90 57574 local2.245 2967 1
> 2007:02:16:06:34:01 hit tcp c2.90 57574 local2.245 2967 1
> 2007:02:16:06:35:08 hit tcp c2.90 55255 local2.211 2967 1
> 2007:02:16:06:35:11 hit tcp c2.90 55255 local2.211 2967 1
> 2007:02:16:06:35:19 hit tcp c2.90 63008 local2.216 2967 1
> 2007:02:16:06:35:22 hit tcp c2.90 63008 local2.216 2967 1
> 2007:02:16:06:36:07 hit tcp c2.90 64796 local2.193 2967 1
> 2007:02:16:06:37:11 hit tcp c2.90 2070 local2.216 2967 1
> 2007:02:16:06:42:43 hit tcp c2.90 3838 local2.203 2967 1
> 2007:02:16:06:42:46 hit tcp c2.90 3838 local2.203 2967 1
> 2007:02:16:06:44:15 hit tcp c2.90 7883 local2.172 2967 1
> 2007:02:16:06:44:16 hit tcp c2.90 7925 local2.231 2967 1
> 2007:02:16:06:44:18 hit tcp c2.90 7883 local2.172 2967 1
> 2007:02:16:06:44:19 hit tcp c2.90 7925 local2.231 2967 1
> 2007:02:16:06:44:34 hit tcp c2.90 10306 local2.167 2967 1
> 2007:02:16:06:44:37 hit tcp c2.90 10306 local2.167 2967 1
> 2007:02:16:06:44:57 hit tcp c2.90 5597 local2.132 2967 1
> 2007:02:16:06:48:41 hit tcp c2.90 14060 local2.203 2967 1
> 2007:02:16:06:48:44 hit tcp c2.90 14060 local2.203 2967 1
> 2007:02:16:06:49:17 hit tcp c2.90 12809 local2.134 2967 1
> 2007:02:16:07:12:26 hit tcp c2.90 6578 local2.215 2967 1
> 2007:02:16:07:12:29 hit tcp c2.90 6578 local2.215 2967 1
> 2007:02:16:07:19:49 hit tcp c2.90 5284 local2.194 2967 1
> 2007:02:16:07:20:47 hit tcp c2.90 4408 local2.215 2967 1
> 2007:02:16:07:20:50 hit tcp c2.90 4408 local2.215 2967 1
> 2007:02:16:07:24:35 hit tcp c2.90 6440 local2.134 2967 1
> 2007:02:16:07:24:38 hit tcp c2.90 6440 local2.134 2967 1
> 2007:02:16:07:27:32 hit tcp c2.90 4880 local2.172 2967 1
> 2007:02:16:07:30:43 hit tcp c2.90 15440 local2.132 2967 1
> 2007:02:16:07:30:46 hit tcp c2.90 15440 local2.132 2967 1
> 2007:02:16:10:26:34 hit udp c1.141 1074 local1.235 38293 1
> 2007:02:16:10:26:34 hit udp c1.141 1074 local1.235 38293 1
> 2007:02:16:10:26:34 hit udp c1.141 1074 local1.235 38293 1
> 2007:02:16:10:26:34 hit udp c1.141 1074 local1.235 38293 1
> 2007:02:16:11:51:49 hit udp c1.141 1075 local1.235 38293 1
> 2007:02:16:11:51:49 hit udp c1.141 1075 local1.235 38293 1
> 2007:02:16:11:51:49 hit udp c1.141 1075 local1.235 38293 1
> 2007:02:16:11:51:49 hit udp c1.141 1075 local1.235 38293 1
> 2007:02:16:15:50:25 hit udp c1.141 1050 local1.235 38293 1
> 2007:02:16:15:50:25 hit udp c1.141 1050 local1.235 38293 1
> 2007:02:16:15:50:25 hit udp c1.141 1050 local1.235 38293 1
> 2007:02:16:15:50:25 hit udp c1.141 1050 local1.235 38293 1
> 2007:02:16:16:42:49 hit udp c1.141 1051 local1.235 38293 1
> 2007:02:16:16:42:49 hit udp c1.141 1051 local1.235 38293 1
> 2007:02:16:16:42:49 hit udp c1.141 1051 local1.235 38293 1
> 2007:02:16:16:42:49 hit udp c1.141 1051 local1.235 38293 1
> 2007:02:16:17:24:45 hit udp c1.141 1049 local1.235 38293 1
> 2007:02:16:17:24:45 hit udp c1.141 1049 local1.235 38293 1
> 2007:02:16:17:24:45 hit udp c1.141 1049 local1.235 38293 1
> 2007:02:16:17:24:45 hit udp c1.141 1049 local1.235 38293 1
>
> #oh oh
> 2007:02:16:21:44:07 hit tcp c1.141 1421 local1.159 1433 1
> 2007:02:16:21:44:34 hit tcp c1.141 2267 local1.250 2967 1
> 2007:02:16:21:44:37 hit tcp c1.141 2267 local1.250 2967 1
> 2007:02:16:21:45:13 hit tcp c1.141 3414 local1.246 1433 1
> 2007:02:16:21:46:21 hit tcp c1.141 1567 local1.243 1433 1
> 2007:02:16:21:46:24 hit tcp c1.141 1567 local1.243 1433 1
> 2007:02:16:21:48:08 hit tcp c1.141 4722 local1.194 2967 1
> 2007:02:16:21:48:11 hit tcp c1.141 4722 local1.194 2967 1
> 2007:02:16:21:49:35 hit tcp c1.141 3448 local1.59 1433 1
> 2007:02:16:21:49:38 hit tcp c1.141 3448 local1.59 1433 1
> 2007:02:16:21:49:40 hit tcp c1.141 3548 local1.175 2967 1
> 2007:02:16:21:49:43 hit tcp c1.141 3548 local1.175 2967 1
> 2007:02:16:21:50:01 hit tcp c1.141 4155 local1.47 2967 1
> 2007:02:16:21:50:01 hit tcp c1.141 4218 local1.196 1433 1
> 2007:02:16:21:50:04 hit tcp c1.141 4155 local1.47 2967 1
> 2007:02:16:21:50:04 hit tcp c1.141 4218 local1.196 1433 1
> 2007:02:16:21:50:52 hit tcp c1.141 1803 local1.176 1433 1
> 2007:02:16:21:50:55 hit tcp c1.141 1803 local1.176 1433 1
> 2007:02:16:21:51:02 hit tcp c1.141 2067 local1.175 2967 1
> 2007:02:16:21:51:05 hit tcp c1.141 2067 local1.175 2967 1
> 2007:02:16:21:53:17 hit tcp c1.141 2115 local1.9 2967 1
> 2007:02:16:21:53:35 hit tcp c1.141 2804 local1.180 1433 1
> 2007:02:16:21:53:38 hit tcp c1.141 2804 local1.180 1433 1
> 2007:02:16:21:53:58 hit tcp c1.141 3315 local1.80 139 1
> 2007:02:16:21:56:28 hit tcp c1.141 4084 local1.70 1433 1
> 2007:02:16:21:56:31 hit tcp c1.141 4084 local1.70 1433 1
> 2007:02:16:21:57:40 hit tcp c1.141 2224 local1.70 139 1
> 2007:02:16:21:57:43 hit tcp c1.141 2224 local1.70 139 1
> 2007:02:16:21:57:55 hit tcp c1.141 2763 local1.200 1433 1
> 2007:02:16:21:57:58 hit tcp c1.141 2763 local1.200 1433 1
> 2007:02:16:21:59:42 hit tcp c1.141 1979 local1.217 2967 1
> 2007:02:16:21:59:45 hit tcp c1.141 1979 local1.217 2967 1
> 2007:02:16:22:00:53 hit tcp c1.141 4245 local1.51 139 1
> 2007:02:16:22:00:54 hit tcp c1.141 4261 local1.196 2967 1
> 2007:02:16:22:00:56 hit tcp c1.141 4245 local1.51 139 1
> 2007:02:16:22:00:57 hit tcp c1.141 4261 local1.196 2967 1
> 2007:02:16:22:03:42 hit tcp c1.141 1694 local1.133 1433 1
> 2007:02:16:22:03:45 hit tcp c1.141 1694 local1.133 1433 1
> 2007:02:16:22:03:52 hit tcp c1.141 2002 local1.165 1433 1
> 2007:02:16:22:03:55 hit tcp c1.141 2002 local1.165 1433 1
> 2007:02:16:22:05:44 hit tcp c1.141 1755 local1.45 2967 1
> 2007:02:16:22:05:47 hit tcp c1.141 1755 local1.45 2967 1
> 2007:02:16:22:06:10 hit tcp c1.141 2556 local1.217 2967 1
> 2007:02:16:22:06:13 hit tcp c1.141 2556 local1.217 2967 1
> #victim 2 is recruited
> 2007:02:16:22:06:58 hit tcp c1.203  3857 local1.235 2967 1
> #and off it goes to infect at least 40+ campus hosts as of midnight  
> sat night.
>
>
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog



More information about the unisog mailing list