Re: Unusually persistent FTP activity.

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 05/18/02


From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Sat, 18 May 2002 19:51:23 +0000 (UTC)


< D. Stimits
>RainbowHat wrote:

>> Just my imagination from no raw data. I imagine it's a Micro$hit
>> closed source Windoze feature of "Net Crawler" and "Web Crawl".

"Net|Web Crawl" behave like virus or worm but are not the virus or worm
just the feature. Norton anti virus don't alert.

>> Monitoring outbound packets and analyzing timeline that is regular
>> interval or random will help you.

# for debug purpose only
$IPTABLES -I OUTPUT -i $EXTERNAL -p tcp --dport 21 -j LOG

grep 'SPT=21' /var/log/messages | cut -b'1-15'

Use `Regedit.exe` (Yes, I know this is off topic for c.o.linux.s).
 
>> Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Explorer\
>> WorkgroupCrawler
>> NetCrawl
>> WebCrawl

>Just wondering, wouldn't such services use ports 137 through 139? In
>this case it is ftp port.

You are correct. File sharing SMB protocol use TCP|UDP 137:139. Above
were just my intuition because there are closed raw data and closed
source Windoze and closed back channel. We need experimentation to
blackbox.

Windoze-----Linux-----+--------------21:ftpd control Taiwan
            iptables | <-- ACK-FIN (close for some reason)
                      |
                      | SYN -->
                      +--------------21:ftpd control Spain
                         <-- ACK-SYN

If this is not a scan, backscatter traffic or DNS poisoning, ACK-SYN
occur 3-way handshake. FIN-ACK occur normal close sequence. I'm
wondering and interesting why iptables didn't recognize ESTABLISHED
state.

Subject POSSIBLE WORM / DDOS ?
Date Fri, 5 Apr 2002 06:59:41 -0800
>From "Eric Weaver" <eric.weaver@ids2.net>
Message-ID <000001c1dcb2$84c1d730$f102020a@acacia.ids2.private>
To <Incidents@securityfocus.com>
|Appears to be target port 21 and/or spreading via SMB...
|06:29:17.078874 10.2.2.241.1890 > 204.152.189.113.21: S
|3272713560:3272713560(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

Subject Re: Probes to previously accessed FTPs and UNCs in XP
Date Sat, 13 Apr 2002 02:36:53 -0400
>From Matt Scarborough <vexversa@usa.net>
Message-ID <20020413063653.5680.qmail@uwdvg023.cms.usa.net>
Cc <incidents@securityfocus.com>

-- 
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7