Re: [fw-wiz] FW: OT? New compromise.



Port 1863 is the port for Microsoft's Instant Messenger client
communications. 1720 is default for LiveMeeting...in later versions
these two pieces of functionality are integrated together.

It could appear to exist on Linux boxes because of any of a number of
Instant Messenger clients that come by default. I know GAIM and Kopete
are included by default with Fedora 4 and later and work with all the
major IM networks (MSN, Yahoo, ICQ, AIM).

In MS systems, MSN IM client starts itself automatically unless you
specifically tell it not to. Likewise, even if you tell it not to,
loading MS Office 2003 or later will re-set it so that it starts
automatically again.

Jim Seymour wrote:

The following is a selection of the comments in a thread on another
mailing list (which is semi-confidential, so I won't be naming it),
with permission from each of the authors to re-post/forward here.

(N.B.: Since it's a forward from a semi-confidential mailing list, I'd
respectfully request that it not be forwarded elsewhere, tho I fully
realize the request certainly isn't enforceable. Thanks.)

Anybody recognize this?

------------------------- begin included text --------------------------
From: Ereshkigal
Subject: OT? New compromise.

Not exactly spam-related right now, but of fairly major concern.
We've been finding it a lot when looking at customers with spammy
viruses. A lot of them (currently 95-98%) have some type of services
running on ports1720 and 1863 in conjunction. Two weeks ago, we saw
it on maybe 1 of 10-15 customers. Over the weekend, it seems to have
reached a tipping point. I have no clue what is going on with this
and I've been digging into every source that I have.

Some of the other ISPs I've talked to, have seen the same trend. It
reeks of botnet to me. Currently, it's sitting there silently and
this is what worries me. Someone suggested that April 1 would be a
good day for chaos.

It's invisible on the local machine, cross-platform (both Windows and
*nix - confirmed on Fedora Core 4 running nessus and tripwire and
neither noticed anything amiss). None of the Windows deep utilities
find anything. I have several security sources and none of them have
been able to identify it, although traffic is starting to spike across
the internet to 1720. Traffic to 1863 has dropped off.

Any clues of the chaos to come? It's way too quiet for me and I don't
like not knowing what is going on.

-----------------------------------------

From: Ereshkigal <ereshkigal@xxxxxxxxx>
Subject: Re: OT? New compromise.

On 3/27/07, Edward Falk wrote:


Ereshkigal wrote:



It's invisible on the local machine, cross-platform (both Windows and
*nix - confirmed on Fedora Core 4 running nessus and tripwire and
neither noticed anything amiss). None of the Windows deep utilities
find anything. I have several security sources and none of them have
been able to identify it, although traffic is starting to spike across
the internet to 1720. Traffic to 1863 has dropped off.


Wait, it's on Unix/Linux? That's pretty rare for a virus. How many
different versions?



This is part of what's bothering me. None of our customers have been
able to actually get anything from it yet. There's one with a high
level of clue tearing his systems apart tonight. He's the one with
Fedora. That's the only system that I personally have confirmed as a
Linux system so far. I'd have to go through all our tickets for the
month and look to see which other systems might be *nix.



Any chance it could be videoconferencing software? That's what 1720 is
for. Videoconferencing software waiting for an incoming call, perhaps.
The H323 protocol negotiates several ports for side channels, so
perhaps the software in question is also using 1863.



The customers that are technical enough have confirmed that nothing
should be running there. I had to delete the snarky bit of the
answer. I've been working for about two weeks straight, stopping for
long enough to sleep and shower and that's about it.

If it was normal traffic, I'd not have posted about it. I'm really
concerned about the rate that we're seeing this spread and what it
actually is. This is showing up on several other major providers, on
more customers of our than we can account for with videoconferencing,
and is spreading quickly. I somehow doubt that the number of people
using H323 went up by 50% over the weekend.

-----------------------------------------

From: Chris Newcomb <chris@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: OT? New compromise.

Edward Falk wrote:


Ereshkigal wrote:



It's invisible on the local machine, cross-platform (both Windows and
*nix - confirmed on Fedora Core 4 running nessus and tripwire and
neither noticed anything amiss). None of the Windows deep utilities
find anything. I have several security sources and none of them have
been able to identify it, although traffic is starting to spike across
the internet to 1720. Traffic to 1863 has dropped off.


Wait, it's on Unix/Linux? That's pretty rare for a virus. How many
different versions?

Any chance it could be videoconferencing software? That's what 1720
is for. Videoconferencing software waiting for an incoming call,
perhaps. The H323 protocol negotiates several ports for side
channels, so perhaps the software in question is also using 1863.

-ed



I've seen it on a couple of systems, but I didn't get to it quickly
enough after my reps notified me of it, as the customers had requested a
os reload.

-----------------------------------------

From: Ereshkigal <ereshkigal@xxxxxxxxx>
Subject: Re: OT? New compromise.

On 3/27/07, Edward Falk wrote:


How can people test to see if it's happening on their system?



It's essentially invisible on the localhost. Any external diagnostic
should let you see what's happening, though. We've caught it with
nmap of all the ports, primarily. Either that or try a simple telnet
IP 1863. It won't banner but you can send commands. We're just
suggesting reinstalls for any of our less-clued customers right now.

If someone can get a sample, then something less drastic can be done,
but most Mom and Pop's aren't capable of it.

-----------------------------------------

From: Ereshkigal <ereshkigal@xxxxxxxxx>
Subject: Re: OT? New compromise.

On 3/27/07, Jon Lewis wrote:


On Tue, 27 Mar 2007, Ereshkigal wrote:



It's essentially invisible on the localhost. Any external diagnostic
should let you see what's happening, though. We've caught it with
nmap of all the ports, primarily. Either that or try a simple telnet
IP 1863. It won't banner but you can send commands. We're just
suggesting reinstalls for any of our less-clued customers right now.


By "send commands" do you mean this is one of those really old-school
"unauthenticated root-shell on a tcp port" services?



Appears to possibly be so. If you disconnect after some number of
invalid commands, then try to reconnect, it will accept the connection
and then immediately kick you.

-------------------------- end included text ---------------------------

Regards,
Jim



_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Getting around corporate firewalls to access ssh server
    ... the ports on the two servers and put the release server on 22. ... restrictive of what the users are allowed to do with the network. ... For those customers where you are having problems, ...
    (comp.os.linux.networking)
  • [fw-wiz] FW: OT? New compromise.
    ... We've been finding it a lot when looking at customers with spammy ... *nix - confirmed on Fedora Core 4 running nessus and tripwire and ... Videoconferencing software waiting for an incoming call, ... The H323 protocol negotiates several ports for side channels, ...
    (Firewall-Wizards)
  • Re: can ping, but cant ftp
    ... Like I said, we have customers ... * - can restrict the ports offered in some ftp server implementations, but not the 3000's, unless James sneaked that ability in while I wasn't looking. ... * To join/leave the list, search archives, change list settings, * ...
    (comp.sys.hp.mpe)
  • Re: o2 to Orange number port, Orange tell me problems since last week?
    ... for work - Business customers must been hugely effected. ... I have just ported 32 numbers from Voda to Orange for a business ... a network problem where these three numbers have failed to connect to ... I have had minor problems with previous ports, ...
    (uk.telecom.mobile)