Re: Unusually persistent FTP activity.

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 05/18/02

From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Sat, 18 May 2002 19:51:23 +0000 (UTC)

< D. Stimits
>RainbowHat wrote:

>> Just my imagination from no raw data. I imagine it's a Micro$hit
>> closed source Windoze feature of "Net Crawler" and "Web Crawl".

"Net|Web Crawl" behave like virus or worm but are not the virus or worm
just the feature. Norton anti virus don't alert.

>> Monitoring outbound packets and analyzing timeline that is regular
>> interval or random will help you.

# for debug purpose only
$IPTABLES -I OUTPUT -i $EXTERNAL -p tcp --dport 21 -j LOG

grep 'SPT=21' /var/log/messages | cut -b'1-15'

Use `Regedit.exe` (Yes, I know this is off topic for c.o.linux.s).
>> Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Explorer\
>> WorkgroupCrawler
>> NetCrawl
>> WebCrawl

>Just wondering, wouldn't such services use ports 137 through 139? In
>this case it is ftp port.

You are correct. File sharing SMB protocol use TCP|UDP 137:139. Above
were just my intuition because there are closed raw data and closed
source Windoze and closed back channel. We need experimentation to

Windoze-----Linux-----+--------------21:ftpd control Taiwan
            iptables | <-- ACK-FIN (close for some reason)
                      | SYN -->
                      +--------------21:ftpd control Spain
                         <-- ACK-SYN

If this is not a scan, backscatter traffic or DNS poisoning, ACK-SYN
occur 3-way handshake. FIN-ACK occur normal close sequence. I'm
wondering and interesting why iptables didn't recognize ESTABLISHED

Date Fri, 5 Apr 2002 06:59:41 -0800
>From "Eric Weaver" <>
Message-ID <000001c1dcb2$84c1d730$f102020a@acacia.ids2.private>
To <>
|Appears to be target port 21 and/or spreading via SMB...
|06:29:17.078874 > S
|3272713560:3272713560(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

Subject Re: Probes to previously accessed FTPs and UNCs in XP
Date Sat, 13 Apr 2002 02:36:53 -0400
>From Matt Scarborough <>
Message-ID <>
Cc <>

Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.