RE: TCP 1025 scanning worm?

From: George M. Garner Jr. (gmgarner@erols.com)
Date: 07/19/02

• Previous message: Richard Johnson: "re: TCP 1025 scanning worm?"
• Maybe in reply to: Richard Johnson: "TCP 1025 scanning worm?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "George M. Garner Jr." <gmgarner@erols.com>
To: "'H C'" <keydet89@yahoo.com>
Date: Fri, 19 Jul 2002 10:20:11 -0400

HC,

Actually, the endpoint map is on tcp 135 on MS Windows boxes. But I
have never tried it through a firewall before, so I don't know. It
might use tcp 139/145 SMB traffic.

Tcp port 1025 is being hosted by the task scheduler on this w2k box.
Running "rpcdump.exe -v -i" I get the following endpoint information:

ProtSeq:ncacn_ip_tcp
Endpoint:1025
NetOpt:
Annotation:
IsListening:YES
StringBinding:ncacn_ip_tcp:192.168.217.200[1025]
UUID:378e52b0-c0a9-11cf-822d-00aa0051e40f
ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT
VersMajor 1 VersMinor 0

ProtSeq:ncacn_ip_tcp
Endpoint:1025
NetOpt:
Annotation:
IsListening:YES
StringBinding:ncacn_ip_tcp:66.44.7.46[1025]
UUID:378e52b0-c0a9-11cf-822d-00aa0051e40f
ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT
VersMajor 1 VersMinor 0

ProtSeq:ncacn_ip_tcp
Endpoint:1025
NetOpt:
Annotation:
IsListening:YES
StringBinding:ncacn_ip_tcp:192.168.217.200[1025]
UUID:1ff70682-0a51-30e8-076d-740be8cee98b
ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT
VersMajor 1 VersMinor 0

ProtSeq:ncacn_ip_tcp
Endpoint:1025
NetOpt:
Annotation:
IsListening:YES
StringBinding:ncacn_ip_tcp:66.44.7.46[1025]
UUID:1ff70682-0a51-30e8-076d-740be8cee98b
ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT
VersMajor 1 VersMinor 0

Perhaps someone is looking for a poorly configured Windows box on which
to schedule a task. :-)

Regards,

George.

-----Original Message-----
From: H C [mailto:keydet89@yahoo.com]
Sent: Thursday, July 18, 2002 10:34 PM
To: George M. Garner Jr.
Subject: Re: TCP 1025 scanning worm?

George,

Will that work in all cases, or only if port 111 is
open?

HC

--- "George M. Garner Jr." <gmgarner@erols.com> wrote:
> HC,
>
> Running rpcdump.exe from the resource kit also might
> clear things up. It
> will show what interface is being advertized over
> that port.
>
> Regards,
>
> George.
>
> ----- Original Message -----
> From: "H C" <keydet89@yahoo.com>
> To: <incidents@securityfocus.com>
> Cc: <rdump@river.com>
> Sent: Thursday, July 18, 2002 2:36 PM
> Subject: re: TCP 1025 scanning worm?
>
>
> > > The sources are all Windows boxes listening on
> TCP
> > port 1025.
> >
> > Not surprising at all. MS has documentation that
> > states that the ports from 1025-1030 are used by
> RPC.
> >
> >
> > Have you checked your own machine w/ fport? I've
> got
> > ports open in that range on my system right now,
> but
> > they're all used by MS processes.
> >
> > > The ramp up in volume from widely separated
> source
> > IPs looks wormy.
> >
> > How so? The log extract you provided doesn't show
> any
> > data...it looks as if the initial SYN packet was
> > denied. This could easily be a port scanner.
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Autos - Get free new car price quotes
> > http://autos.yahoo.com
> >
> >
>
------------------------------------------------------------------------

--
> --
> > This list is provided by the SecurityFocus ARIS
> analyzer service.
> > For more information on this free incident
> handling, management
> > and tracking system please see:
> http://aris.securityfocus.com
> >
> 
__________________________________________________
Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes
http://autos.yahoo.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Richard Johnson: "re: TCP 1025 scanning worm?"
• Maybe in reply to: Richard Johnson: "TCP 1025 scanning worm?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: excessive TCP dulplicate acks revisted ... The tcp duplicate ACK attack is back. ... there was a thread on duplicate TCP acks in -CURRENT. ... TCP STREAM TEST from localhost port 0 AF_INET to greenhouse- george.18clay.com port 0 AF_INET ... Socket Socket Message Elapsed ... (freebsd-current) excessive TCP dulplicate acks revisted ... The tcp duplicate ACK attack is back. ... there was a thread on duplicate TCP acks in -CURRENT. ... TCP STREAM TEST from localhost port 0 AF_INET to greenhouse- george.18clay.com port 0 AF_INET ... Socket Socket Message Elapsed ... (freebsd-current) Re: How to tell if a firewall alert is suspicious or not ... > WHY this SBCGlobal DNS server would be contacting Adobe Acrobat on port ... They have to parts, a kernel and the userland, in which programs, which are ... With Internet Protocol and TCP it is so, that any network interface in the ... To initiate a TCP connection, first the server has to "listen" on a port. ... (comp.security.firewalls) RE: Configure Hardware Firewall for SBS 2003 ... the corresponding ports to the SBS box. ... When a router is deployed at the SBS end, you must forward the port numbers ... TCP 110 This port is used for POP3 mail clients. ... TCP 1723 PPTP VPN connection ... (microsoft.public.windows.server.sbs) Re: Can someone tell me what this is exactly? ... >But port 80 connections seem to get through. ... >on port 80 (tcp). ... >Host: www ... >Connnection: close ... (comp.os.ms-windows.nt.admin.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2002-07