RE: Increase seen in port probes since Tuesday afternoon

From: Michael (mcwright_at_dbls.com)
Date: 12/30/04

  • Next message: Jeff Kell: "Re: Increase seen in port probes since Tuesday afternoon"
    To: <incidents@securityfocus.com>
    Date: Thu, 30 Dec 2004 16:09:11 -0500
    
    

    We're seeing it too and believe it is part of the Gaobot/Agobot family.
    We're getting concentrated scans from multiple hosts in the same Class "B"
    subnet we're in.

    On web servers we're seeing log entries such as the following, which isn't
    new to the Gaobot/Agobot family:

    ex041226.log:2004-12-26 05:07:10 12.33.103.174 - [snip] 80 POST
    /_vti_bin/_vti_aut/fp30reg.dll - 500 -

    That's a frontpage dll from a vulnerability dating back to 11/03.

    With an IDS we get alerts for both 'WebDAV Search Access' and
    'Chunked-Encoding transfer attempts.'

    Some good links for further information are:

    http://lists.sans.org/pipermail/list/2004-December/087846.html
    http://www.lurhq.com/phatbot.html
    http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.gen.
    html

    > -----Original Message-----
    > From: James C Slora Jr [mailto:Jim.Slora@phra.com]
    > Sent: Thursday, December 30, 2004 2:45 PM
    > To: 'BahdKo'; incidents@securityfocus.com
    > Subject: RE: Increase seen in port probes since Tuesday afternoon
    >
    > BahdKo wrote Thursday, December 30, 2004 04:23
    >
    > > Since Tuesday afternoon EST I've seen a dramatic increase in
    > > the number of machines probing my network on ports 2745,
    > > 1025, 3127, 6129, and usually 80. Each probe involves the
    > > machine sending three packets to each port.
    >
    > Yes from time to time. The port pattern is typical of many
    > botnets, many of
    > which will focus multiple drones against a particular IP
    > space for a while.
    >
    > Packet captures might reveal whether there is anything new or
    > interesting
    > about any of the individual probes. The three packets would
    > probably be
    > standard Syn retries. Again a packet capture would show
    > whether or not this
    > is the case. If a destination device is listening on any of
    > those ports, a
    > packet capture might also give an indication about whether
    > there is some new
    > payload.
    >


  • Next message: Jeff Kell: "Re: Increase seen in port probes since Tuesday afternoon"

    Relevant Pages

    • Re: no port 80 communications
      ... I was able to access port 80 for a few ... Is Windows Firewall the only security product on your computer? ... a packet capture, I see no outgoing http requests from my PC. ... Well, Zone Labs makes Zone Alarm, and we all know how intrusive and problematic ...
      (microsoft.public.windowsxp.network_web)
    • Re: ActiveSync Protocol Documentation
      ... I was going through the packet capture and found out that amongst ... port 1034 is registered for ActiveSync notifications. ... Microsoft does not mention this port on its website for ActiveSync. ...
      (microsoft.public.pocketpc.activesync)