RE: DDoS to microsoft sites
From: John Campbell (jcampbell@wsipc.org)Date: 01/30/02
- Previous message: Mike Lewinski: "DDoS to microsoft sites"
- Maybe in reply to: Mike Lewinski: "DDoS to microsoft sites"
- Next in thread: Bronek Kozicki: "Re: DDoS to microsoft sites"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: John Campbell <jcampbell@wsipc.org> To: 'Mike Lewinski' <mike@rockynet.com>, incidents@securityfocus.com Date: Tue, 29 Jan 2002 16:03:52 -0800
I've noticed 1025 and 1026 open on some members of our Win2K fleet. 1026 is
open on my own machine. Fport (www.foundstone.com) links 1026 to lsass.exe.
Not sure why some have it and others don't, although my machine is running
Server SP2. I've found a couple of machines with 1025 open, am looking into
it.
John Campbell, GCWN
Information Security Engineer
Washington School Information Processing Cooperative (WSIPC)
E-mail: jcampbell@wsipc.org
-----Original Message-----
From: Mike Lewinski [mailto:mike@rockynet.com]
Sent: Tuesday, January 29, 2002 3:24 PM
To: incidents@securityfocus.com
Subject: DDoS to microsoft sites
We've observed two disparate clients apparently rooted (both are Win2K I
believe), being used to packet flood a variety of Microsoft sites (msn.com,
hotmail.com and microsoft.com itself).
Just a few seconds of IP accounting showed:
Destination Packets Bytes
64.4.32.251 14201 20940508
207.68.171.254 11862 17764328
64.4.32.1 12142 18184104
207.46.197.102 59698 89401960
These clients are on very different CIDR blocks (from the first octet). We
don't have any further information at this time, other than one client
saturated their T1 and the other saturated a 10Mb/s connection.
I haven't observed any noticeable impacts to the microsoft sites being
attacked. We have been able to track back the activity on MRTG graphs to
last Thurs for both clients. We investigated the traffic volume the first
day it appeared and at that time saw what appeared to be an attack against
two hosts in .fr and one in .de. The client assured us at this time it was
legitimate traffic.
A port scan of one of the infected hosts shows:
7 Echo
9 Discard
13 Daytime
17 Quote of the Day
19 Character Generator
21 File Transfer Protocol [Control]
25 Simple Mail Transfer
80 World Wide Web HTTP
135 DCE endpoint resolution
139 NETBIOS Session Service
443 https MCom
445 Microsoft-DS
548 AFP over TCP
1025 network blackjack
1026
1027 ICQ?
1433 Microsoft-SQL-Server
5631 pcANYWHEREdata
The client claims that they are not running Appletalk (548) but I'm not sure
whether to believe. We haven't been able to get console access to that
machine to do any further investigation (but have blocked it upstream). Of
the above services, most look legit from what I can tell with the exception
of 548 and 1025-1027
Mike
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more
information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Mike Lewinski: "DDoS to microsoft sites"
- Maybe in reply to: Mike Lewinski: "DDoS to microsoft sites"
- Next in thread: Bronek Kozicki: "Re: DDoS to microsoft sites"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
