Re: Unusually persistent FTP activity.

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 05/18/02


From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Sat, 18 May 2002 19:51:23 +0000 (UTC)


< D. Stimits
>RainbowHat wrote:

>> Just my imagination from no raw data. I imagine it's a Micro$hit
>> closed source Windoze feature of "Net Crawler" and "Web Crawl".

"Net|Web Crawl" behave like virus or worm but are not the virus or worm
just the feature. Norton anti virus don't alert.

>> Monitoring outbound packets and analyzing timeline that is regular
>> interval or random will help you.

# for debug purpose only
$IPTABLES -I OUTPUT -i $EXTERNAL -p tcp --dport 21 -j LOG

grep 'SPT=21' /var/log/messages | cut -b'1-15'

Use `Regedit.exe` (Yes, I know this is off topic for c.o.linux.s).
 
>> Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Explorer\
>> WorkgroupCrawler
>> NetCrawl
>> WebCrawl

>Just wondering, wouldn't such services use ports 137 through 139? In
>this case it is ftp port.

You are correct. File sharing SMB protocol use TCP|UDP 137:139. Above
were just my intuition because there are closed raw data and closed
source Windoze and closed back channel. We need experimentation to
blackbox.

Windoze-----Linux-----+--------------21:ftpd control Taiwan
            iptables | <-- ACK-FIN (close for some reason)
                      |
                      | SYN -->
                      +--------------21:ftpd control Spain
                         <-- ACK-SYN

If this is not a scan, backscatter traffic or DNS poisoning, ACK-SYN
occur 3-way handshake. FIN-ACK occur normal close sequence. I'm
wondering and interesting why iptables didn't recognize ESTABLISHED
state.

Subject POSSIBLE WORM / DDOS ?
Date Fri, 5 Apr 2002 06:59:41 -0800
>From "Eric Weaver" <eric.weaver@ids2.net>
Message-ID <000001c1dcb2$84c1d730$f102020a@acacia.ids2.private>
To <Incidents@securityfocus.com>
|Appears to be target port 21 and/or spreading via SMB...
|06:29:17.078874 10.2.2.241.1890 > 204.152.189.113.21: S
|3272713560:3272713560(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

Subject Re: Probes to previously accessed FTPs and UNCs in XP
Date Sat, 13 Apr 2002 02:36:53 -0400
>From Matt Scarborough <vexversa@usa.net>
Message-ID <20020413063653.5680.qmail@uwdvg023.cms.usa.net>
Cc <incidents@securityfocus.com>

-- 
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7



Relevant Pages

  • Re: Unusually persistent FTP activity.
    ... "Net|Web Crawl" behave like virus or worm but are not the virus or worm ... >this case it is ftp port. ... File sharing SMB protocol use TCP|UDP 137:139. ...
    (comp.os.linux.security)
  • Re: Watch out for this
    ... The 'swen' worm and its effects, ... there is not much you can do to stop the flood. ... e-mail for virus infection. ... You can use a remote virus scan from one of the antivirus program ...
    (microsoft.public.security.virus)
  • Re: I ran the exe file !!!!
    ... point before the virus infection. ... For the moment you should simply stick with MS windows Updates. ... What You Should Know About the Swen Worm ... you have Windows ME or Windows XP, you could run the System Restore ...
    (microsoft.public.security.virus)
  • Windowx 200x/XP virus proof document released
    ... i was asking people to send me virus and worms to my ... Who never downloaded the last remove tool for a last worm or virus ... administrative permission to make system changes. ... 3- Keep FULL CONTROL only to SYSTEM, ADMINISTRATORS and CREATOR OWNER. ...
    (microsoft.public.scripting.virus.discussion)
  • Windowx 200x/XP virus proof document released
    ... i was asking people to send me virus and worms to my ... Who never downloaded the last remove tool for a last worm or virus ... administrative permission to make system changes. ... 3- Keep FULL CONTROL only to SYSTEM, ADMINISTRATORS and CREATOR OWNER. ...
    (microsoft.public.security.virus)