RE: Out of my league.....

From: David Gillett (gillettdavid_at_fhda.edu)
Date: 01/08/04

  • Next message: Dowling, Gabrielle: "RE: Some abnormal behavior when opening excel and word files .."
    To: "'Jeff Johnson'" <jjohnson@redoakgroup.com>, <security-basics@securityfocus.com>
    Date: Thu, 8 Jan 2004 10:05:49 -0800
    
    

      Ports 139 (NetBIOS session) and 445 (CIFS) are the ports used
    by Windows File/Printer sharing. In all but a few strange cases,
    they should be blocked at your gateway, which it sound like they
    are.

      But the real question is: Why would some of your internal
    machines be trying to use these ports to connect to outside
    hosts???
      There are four basic answers:

    1. You're allowing inbound traffic on port 137 (and maybe 138?)
    which is adding external machines to your Network Neighborhood.
    (These ports -- UDP as well as TCP -- should also be blocked.)

    2. You've got users actually trying to mount shared drives from
    remote hosts, perhaps by IP address.

    3. You've got malware trying to download additional components
    from some previously-infested locations, or upload results such
    as keylogger data.

    4. You've got something else -- perhaps peer-to-peer music
    sharing? -- trying to pretend to be normal Windows sharing
    (although the PIC you report makes this one unlikely).

      Since the firewall is blocking it, it's probably not a top
    priority, but I think the corrective actions for each of these
    are pretty obvious.

    David Gillett

    > -----Original Message-----
    > From: Jeff Johnson [mailto:jjohnson@redoakgroup.com]
    > Sent: January 7, 2004 13:16
    > To: security-basics@securityfocus.com
    > Subject: Out of my league.....
    >
    >
    > Hello. My ignorance will be vivid here....
    >
    > I'm currently doing marketing at a small office, but, as I'm
    > technically
    > inclined enough to be dangerous, in my spare time do the IS
    > support as well.
    > They had an outside consultant set up the system, and he had
    > done other
    > setups/management when needed, but, is no longer available.
    > He'd set up the
    > network with a Symantec VPN/Firewall appliance as the
    > external gateway, but
    > had opened up ports to a server inside the network which is currently
    > hosting the email server (Xmail), DNS, as well as a simple
    > web app to do
    > web-mail checking for employees from the outside. Also
    > opened ports for
    > ssl, termserver, ftp, smtp, and pop3, and another port for
    > remote admin.
    >
    > Looked a bit insecure for me when I noticed it, so, I
    > installed ZoneAlarm on
    > this server inside the network, which is currently working.
    > Plans are to
    > move the web serving onto another server which will be put
    > into a DMZ. After
    > noticing these open ports, I also decided to pay more attention to the
    > firewall logs, and noticed not just the normal external port
    > scan attack
    > blocks, but also that a couple of computers, including the
    > company server,
    > are attempting to access outside IPs using closed port calls
    > (therefore, the
    > firewall catches and logs them). These blocks come with the
    > message Block
    > host "" internet access, and are typically using ports 139 &
    > 445. Looked
    > suspicious, so, I ran an fport scan on the server, and it did
    > show ports 139
    > & 445 open, but, shows that the Pid is 8 (the
    > system).....Also did some
    > ethereal scan of the network, and it does show that the
    > server is trying to
    > access this specific external ip address.
    >
    > My question is (kudos if you've patiently read everything so
    > far), how do I
    > find out what this process is that is trying to do these
    > accesses, or am I
    > being overly paranoid. As you can most likely tell from
    > this, I'm not the
    > most technically adept IT support person, so, I'd also appreciate
    > references/suggestions on materials to help me out here.
    >
    > Thanks in advance to all.
    >
    > Jeff
    >
    >
    >
    > --------------------------------------------------------------
    > -------------
    > Ethical Hacking at InfoSec Institute. Mention this ad and get
    > $720 off any
    > course! All of our class sizes are guaranteed to be 10
    > students or less.
    > We provide Ethical Hacking, Advanced Ethical Hacking,
    > Intrusion Prevention,
    > and many other technical hands on courses.
    > Visit us at http://www.infosecinstitute.com/securityfocus to
    > get $720 off
    > any course!
    > --------------------------------------------------------------
    > --------------
    >

    ---------------------------------------------------------------------------
    Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
    course! All of our class sizes are guaranteed to be 10 students or less.
    We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
    and many other technical hands on courses.
    Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
    any course!
    ----------------------------------------------------------------------------


  • Next message: Dowling, Gabrielle: "RE: Some abnormal behavior when opening excel and word files .."

    Relevant Pages

    • RE: Out of my league.....
      ... had opened up ports to a server inside the network which is currently ... hosting the email server, DNS, as well as a simple web app to do ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, ...
      (Security-Basics)
    • RE: Out of my league.....
      ... which is adding external machines to your Network Neighborhood. ... (These ports -- UDP as well as TCP -- should also be blocked.) ... > had opened up ports to a server inside the network which is currently ... > We provide Ethical Hacking, Advanced Ethical Hacking, ...
      (Security-Basics)
    • Re: Hacked?
      ... have some kind of pointer to try to contact a computer on that network. ... Those are NetBIOS ports, and NetBIOS is somewhat chatty and can generate ... installing Zone Alarm on the computer in question would be ... > currently hosting the email server, DNS, as well ...
      (microsoft.public.security)
    • RE: Out of my league.....
      ... (These ports -- UDP as well as TCP -- should also be blocked.) ... but had opened up ports to a server inside the network which ... > We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion ... and many other technical hands on courses. ...
      (Security-Basics)
    • Re: IIS / Web Services Security threats
      ... You will be surprised to know, due to a recent virus attack on the perimeter network, the common ports have been closed too. ... I also develop Java applications which runs on weblogic server. ... Since, the entire world knows about port 80 and 443, I thought opening a specific port with IP Sec configuration may make the network little secure. ... My security team thinks allowing communication between the two IIS ...
      (microsoft.public.dotnet.framework.webservices)