Outgoing connections to ports 22226 and 22227

From: Gereon Volker (gvolker_at_freenet.de)
Date: 08/25/03

  • Next message: Schmehl, Paul L: "RE: Can anyone identify this possible backdoor?" 
    To: <incidents@securityfocus.com>
Date: Mon, 25 Aug 2003 20:40:43 +0200

    Hi,

    Over the past couple days I've noticed an increase in outgoing connections
    mostly to port 22226 and 22227 from my windows 2000 honeypot (no service
    packs or hot fixes applied). The source port of these connections is between
    1033 and 1050. Today the destination ports were 509, 1466, 3019, 7140,
    10919, 11030, 14859, 16710.

    All outbound connections are triggered via inbound conections to port 139
    or/and 445. The attacker uses the IPC$ share to connect.

    Some of the "attackers" drop the file winhlpp32.exe (known from
    W32.HLLW.Gaobot.P worm) in the system32 directory, others kill the
    RPC-service. The size of the file varies from 3 kb to 55 kb.

    Most of the IP-addresses are dial-up connections.

    All connections to port 135 are blocked by the firewall.

    Has anybody else seen similar things?

    Sorry for my lame English.

    Gereon

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
    ----------------------------------------------------------------------------

  • Next message: Schmehl, Paul L: "RE: Can anyone identify this possible backdoor?"

    Relevant Pages

    • Re: Need help with bandwidth management . . .
      ... also be a good time to separate the wired from the wireless parts of ... wired connections. ... QoS lan port settings, and I cannot get anything consistent. ... switch ports and limit the bandwidth per port (the settings are ...
      (alt.internet.wireless)
    • Re: Iptables FTP question
      ... for secondary connections. ... Some ftp servers don't allow passive mode because it is less safe from ... algs that allow port mode for client machines. ...
      (comp.security.firewalls)
    • Re: Port watching tool
      ... Active Ports only shows one connection to port 25 (which I am trying to ... I am finding certain IPs to be ... generating large numbers of SMTP connections to the server, ... Symantec is the Diamond sponsor. ...
      (Security-Basics)
    • Re: Need Help on setting up a small home site.
      ... > told me that I have to open that port and forward request to my ... computer is the first network device. ... connections to port 80, so that they can be routed through to something ... > So if U don't consider it rude to post a long config file here, ...
      (comp.infosystems.www.servers.unix)
    • Re: Looking for program that emails me when dhcp addr changes
      ... For SSH all you need forwarded is TCP Port 22... ... >>participate in TCP connections or UDP conversations it initiates but ...
      (comp.security.ssh)