RE: Unusual proxy port scan

From: Jim Harrison (SPG) (jmharr@microsoft.com)
Date: 06/24/02


Date: Mon, 24 Jun 2002 08:15:12 -0700
From: "Jim Harrison (SPG)" <jmharr@microsoft.com>
To: "Bill Royds" <email@royds.net>, "Incidents List" <incidents@securityfocus.com>

One small clarification here..

Other than TCP-80 for inbound web requests, ISA doesn't "own" any ports
on the external interface that aren't intentionally defined.
Specifically, ISA doesn't allow web proxy requests on the external
interface unless the operator chooses to publish the internal proxy
listener to the Internet (not a smart move anyway).

* Jim Harrison
MCP(2K), A+, Network+
Services Platform Division

The burden of proof is not satisfied by a lack of evidence to the
contrary..

-----Original Message-----
From: Bill Royds [mailto:email@royds.net]
Sent: Sunday, June 23, 2002 12:43 PM
To: Incidents List
Subject: RE: Unusual proxy port scan

I have received some feedback on this message.
Port 3389 is used by Microsoft Terminal Server and 1813 is used by
Radius (normally as UDP)

The combination with other proxy ports would indicate that there may be
an exploit of Microsoft ISA server which uses all of these ports and is
often used as a firewall/cache proxy.

The source IP for these probes is owned by Intel, so it seemed unlikely
that it was a script kiddie, but an exploit worm for ISA/Terminal
Server seems a possibility. There have been recent problems with some
RADIUS software

I also received more proxy scans this morning with 2 separate IP's
scanning for same ports in a fast scan. Have others found this in their
IDS/firewall logs? (times are EDT UTC-400)

$ host 24.232.188.183
183.188.232.24.IN-ADDR.ARPA domain name pointer
OL183-188.fibertel.com.ar

Sun June 23 2002 09:07:41 Unrecognized access from 24.232.188.183:50810
to TCP port 8080 Sun June 23 2002 09:07:41 Unrecognized access from
24.232.188.183:50811 to TCP port 3128 Sun June 23 2002 09:07:41
Unrecognized access from 24.232.188.183:50812 to TCP port 81 Sun June 23
2002 09:07:41 Unrecognized access from 24.232.188.183:50813 to TCP port
8000 Sun June 23 2002 09:07:41 Unrecognized access from
24.232.188.183:50814 to TCP port 14465 Sun June 23 2002 09:07:44
Unrecognized access from 24.232.188.183:50814 to TCP port 14465 Sun June
23 2002 09:07:44 Unrecognized access from 24.232.188.183:50810 to TCP
port 8080 Sun June 23 2002 09:07:44 Unrecognized access from
24.232.188.183:50811 to TCP port 3128 Sun June 23 2002 09:07:44
Unrecognized access from 24.232.188.183:50813 to TCP port 8000 Sun June
23 2002 09:07:44 Unrecognized access from 24.232.188.183:50812 to TCP
port 81 Sun June 23 2002 09:07:51 Unrecognized access from
24.232.188.183:50814 to TCP port 14465 Sun June 23 2002 09:07:51
Unrecognized access from 24.232.188.183:50810 to TCP port 8080 Sun June
23 2002 09:07:51 Unrecognized access from 24.232.188.183:50811 to TCP
port 3128 Sun June 23 2002 09:07:51 Unrecognized access from
24.232.188.183:50813 to TCP port 8000 Sun June 23 2002 09:07:51
Unrecognized access from 24.232.188.183:50812 to TCP port 81

Sun June 23 2002 09:14:36 Unrecognized access from 65.209.222.187:16265
to TCP port 8080 Sun June 23 2002 09:14:36 Unrecognized access from
65.209.222.187:16266 to TCP port 3128 Sun June 23 2002 09:14:36
Unrecognized access from 65.209.222.187:16267 to TCP port 81 Sun June 23
2002 09:14:36 Unrecognized access from 65.209.222.187:16268 to TCP port
8000 Sun June 23 2002 09:14:36 Unrecognized access from
65.209.222.187:16269 to TCP port 14465 Sun June 23 2002 09:14:39
Unrecognized access from 65.209.222.187:16267 to TCP port 81 Sun June 23
2002 09:14:39 Unrecognized access from 65.209.222.187:16268 to TCP port
8000 Sun June 23 2002 09:14:39 Unrecognized access from
65.209.222.187:16266 to TCP port 3128 Sun June 23 2002 09:14:39
Unrecognized access from 65.209.222.187:16269 to TCP port 14465 Sun June
23 2002 09:14:39 Unrecognized access from 65.209.222.187:16265 to TCP
port 8080 Sun June 23 2002 09:14:45 Unrecognized access from
65.209.222.187:16267 to TCP port 81 Sun June 23 2002 09:14:45
Unrecognized access from 65.209.222.187:16268 to TCP port 8000 Sun June
23 2002 09:14:45 Unrecognized access from 65.209.222.187:16265 to TCP
port 8080 Sun June 23 2002 09:14:45 Unrecognized access from
65.209.222.187:16269 to TCP port 14465 Sun June 23 2002 09:14:45
Unrecognized access from 65.209.222.187:16266 to TCP port 3128

-----Original Message-----
From: Bill Royds [mailto:sf-lists@royds.net]
Sent: Sat June 22 2002 20:49
To: Incidents List
Subject: Unusual proxy port scan

My home cable modem with switch recorded this interesting scan this
afternoon (times EDT). I know about 8080 and 3128 (SQUID proxy ports)
but what are 3389 and 1813, especially since there was a bigger push on
1813

Sat June 22 2002 13:02:02 Unrecognized access from 4.18.239.237:3941 to
TCP port 8080 Sat June 22 2002 13:02:02 Unrecognized access from
4.18.239.237:3944 to TCP port 3128 Sat June 22 2002 13:02:02
Unrecognized access from 4.18.239.237:3945 to TCP port 3389 Sat June 22
2002 13:02:02 Unrecognized access from 4.18.239.237:3946 to TCP port
1813 Sat June 22 2002 13:02:05 Unrecognized access from
4.18.239.237:3941 to TCP port 8080 Sat June 22 2002 13:02:05
Unrecognized access from 4.18.239.237:3946 to TCP port 1813 Sat June 22
2002 13:02:05 Unrecognized access from 4.18.239.237:3944 to TCP port
3128 Sat June 22 2002 13:02:05 Unrecognized access from
4.18.239.237:3945 to TCP port 3389 Sat June 22 2002 13:02:11
Unrecognized access from 4.18.239.237:3941 to TCP port 8080 Sat June 22
2002 13:02:11 Unrecognized access from 4.18.239.237:3946 to TCP port
1813 Sat June 22 2002 13:02:12 Unrecognized access from
4.18.239.237:3944 to TCP port 3128 Sat June 22 2002 13:02:12
Unrecognized access from 4.18.239.237:3945 to TCP port 3389 Sat June 22
2002 13:02:27 Unrecognized access from 4.18.239.237:1057 to TCP port
1813 Sat June 22 2002 13:02:31 Unrecognized access from
4.18.239.237:1057 to TCP port 1813 Sat June 22 2002 13:02:37
Unrecognized access from 4.18.239.237:1057 to TCP port 1813

IP has no reverse host name lookup

$ dig -x 4.18.239.237

; <<>> DiG 8.3 <<>> -x
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;;
QUERY SECTION:
;; 237.239.18.4.in-addr.arpa, type = ANY, class = IN

;; AUTHORITY SECTION:
239.18.4.in-addr.arpa. 43m20s IN SOA dnspri.sys.gtei.net.
dns-admin.bbnplanet.com. (
                                        2002052850 ; serial
                                        1H ; refresh
                                        15M ; retry
                                        1w3d ; expiry
                                        1D ) ; minimum

;; Total query time: 1000 msec
;; FROM: bill-nt to SERVER: default -- 192.168.0.148
;; WHEN: Sat Jun 22 18:36:38 2002
;; MSG SIZE sent: 43 rcvd: 121

$ whois -h whois.arin.net INTEL-239-10
Intel (NETBLK-INTEL-239-10)
   5200 NE Elam Young Parkway
   Hillsboro, OR 97124
   US

   Netname: INTEL-239-10
   Netblock: 4.18.239.192 - 4.18.239.255

   Coordinator:
      Vasconcellos, Phillip (PV172-ARIN)
phillip.vasconcellos@intel.com
      503-712-9140

   Record last updated on 11-Oct-2001.
   Database last updated on 21-Jun-2002 19:59:57 EDT.

The ARIN Registration Services Host contains ONLY Internet Network
Information: Networks, ASN's, and related POC's. Please use the whois
server at rs.internic.net for DOMAIN related Information and
whois.nic.mil for NIPRNET Information. $ whois -h whois.arin.net
4.18.239.237
GENUITY (NET-GNTY-4-0) GNTY-4-0 4.0.0.0 -
4.255.255.255
Intel (NETBLK-INTEL-239-10) INTEL-239-10 4.18.239.192 -
4.18.239.255

To single out one record, look it up with "!xxx", where xxx is the
handle, shown in parenthesis following the name, which comes first.

The ARIN Registration Services Host contains ONLY Internet Network
Information: Networks, ASN's, and related POC's. Please use the whois
server at rs.internic.net for DOMAIN related Information and
whois.nic.mil for NIPRNET Information.

------------------------------------------------------------------------

----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Worm identity?
    ... I'm sure those who are watching port scans more closely than I will ... 11:05:30 Unrecognized access from 10.161.77.197:3398 to TCP port 2745 ... or if you can suggest a decent resource that allows worm ...
    (comp.security.firewalls)
  • Re: TCP port 5000 syn increasing
    ... I have noticed the TCP port 5000's also, and I'm getting a fair amount from ... > Security Linux, the comprehensive security solution that combines six ...
    (Incidents)
  • Re: Why Is Google Connecting to My Mac?
    ... destination: ssl-google-analytics.l.google.com ... wants to connect to ssl-google-analytics.l.google.com on TCP port ...
    (comp.sys.mac.misc)
  • Re: Info on SMC Barricade
    ... 24.242.35.125:1025 to UDP port 137 ... Thursday, November 22, 2001 16:43:25 Unrecognized access from ... 213.131.184.204:2048 to TCP port 53 ...
    (Security-Basics)
  • RE: RDC Problem Driving me Mental
    ... SBS 2003 computer starts using TCP port 3389 before the Terminal Services ... The process that most frequently causes this problem is the Microsoft ... Exchange System Attendant service. ...
    (microsoft.public.windows.server.sbs)