RE: P2P applications scanning? Trojan? Malicious users?

From: Alessandro Volpi (Info_at_AVolpi.com)
Date: 10/08/03

  • Next message: David Vestal: "tcp 17888"
    To: "'Jeff Kell'" <jeff-kell@utc.edu>, "'Incidents'" <incidents@securityfocus.com>
    Date: Wed, 8 Oct 2003 16:49:11 +0200
    
    

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hi Jeff, Hi all...
    In a similar situation I get some help by Nessus...
    Assuming that you are running it in an environment that is a MS Domain and you can use an account with "Domain Admin" or "Enterprise Admin" you can configure some plug ins of Nessus to use these credentials to enumerate the running process of the remote MS host...
    You can then check out the list of what is running to find out what it can be considered as suspicius...

    Good Luck... as I had working out this issue! :)

    Alessandro Volpi
    MCP, CCNA

    Pretty Good Privacy FingerPrint: 2358 B960 06E4 3440 DFFB FD5A 40DE 3492 8E20 EFE5

    > -----Original Message-----
    > From: Jeff Kell [mailto:jeff-kell@utc.edu]
    > Sent: Tuesday, October 07, 2003 8:10 PM
    > To: Incidents
    > Subject: P2P applications scanning? Trojan? Malicious users?
    >
    >
    > During the outbreak of Blaster/Nachi/Welchia, we installed a
    > tarpit on
    > the dorm network to catch the scans that each performed. It was
    > relatively effective, especially after we automated anaysis
    > of the logs
    > and programmatically switched off infected ports.
    >
    > However, as a side effect of the tarpit, now that things are settling
    > down, is that I am seeing very peculiar scans being performed
    > by other
    > systems in the dorms. I have seen scans on obvious P2P ports
    > (tcp/1214
    > for example) but some equally strange scans that I have been
    > unable to
    > pinpoint or google a clue. Many of these go trapped for days (or
    > weeks). They are not full-subnet scans (well, possibly a
    > class C) and
    > they tend to grow over time.
    >
    > Does anyone know of P2P, or P2P helper applications that perform this
    > type of scan? We are a bit hesitant to shut them down
    > without some clue
    > as to what they are doing, and if it is intentional or some new
    > application that is "working as designed".
    >
    > Some of the ports currently being scanned now (all TCP, the tarpit
    > doesn't catch UDP, generally speaking):
    >
    > 1064
    > 1354
    > 1416
    > 2138
    > 2141
    > 2414
    > 2622
    > 2657
    > 3111
    > 3174
    > 3947
    > 1658
    >
    > Some of these have hundreds of threads captured dating back a
    > week (and
    > growing slowly but daily).
    >
    > Jeff Kell
    > Network Services/ISO
    > University of Tennessee at Chattanooga
    >
    >
    >
    >
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > --------------
    >
    >

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.2

    iQCVAwUBP4Qj4UDeNJKOIO/lAQKnTQP/dmyuMdzpM7KaFfXhTM4/W1qxUA+hxIaa
    KIjY3lw2P9xXWy7Y6SR7qB0Wg0opyXiC+ebMPURE/WjQZA7kRJTYmhwKzZg6VKRa
    BzATMswYzVk/8mYKh49ra3otQYtTkoeq03ZLOANblM0KDjWb2xV9yt+Eru0tAjXo
    Jb8nw9oMv+k=
    =4mxn
    -----END PGP SIGNATURE-----

    _________________________________________________________________
    Il servizio Postemail sottopone tutti i documenti a una scansione
    automatica antivirus con i programmi TREND MICRO.

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: David Vestal: "tcp 17888"

    Relevant Pages

    • P2P applications scanning? Trojan? Malicious users?
      ... we installed a tarpit on ... the dorm network to catch the scans that each performed. ... and programmatically switched off infected ports. ... We are a bit hesitant to shut them down without some clue ...
      (Incidents)
    • Re: Remote desktop over vpn
      ... >>90% of people, when configuring a VPN, configure it wide open, all ports ... Jeff, how many corporate VPN's have you had experience with? ... protocols required for a typical corporate workstation to do a domain log ...
      (comp.security.firewalls)
    • Re: Public DNS names for SBS 2K3 - Question
      ... Jeff. ... "Dave Hibbeln" wrote in message ... > In what document did you find these recommendations for DNS names. ... >> you're using, if you are using standard ports, the port is ...
      (microsoft.public.windows.server.sbs)
    • Re: Ports 1985 and 1986
      ... I havent seen any other connects to those ports since I first posted ... Jeff Lane wrote: ... > Unfortunately, I am a linux admin, not a windows admin, so I am not ... Thinking About Security Training? ...
      (Security-Basics)
    • Re: [Full-disclosure] Idle scan rediscovered!!!
      ... after this week-end and I'll let you know. ... tarpit like iptables' version of it, where all blocked ports are instead ... through an idle host. ...
      (Full-Disclosure)