Re: Odd nmap result qaz and netbios on Linux

From: NeoSadist (neosad1st_at_charter.net)
Date: 01/12/04


Date: Mon, 12 Jan 2004 07:26:13 -0700

hazzmat wrote:

> I remotely admin a system (small lan actually) that connects to the
> internet via dhcp on a small isp's dsl service.
> After christmas I contacted the gateway for this lan and generally
> looked around to make sure everything was shipshape.
> I apply updates to it (it's debian stable) but I hadn't logged in a
> couple of weeks with the holidays and all. I had changed the ssh host
> key and SSH gave me the possible man in the middle attack warning.(the
> firewall has the same name as a previous system but it is a new,
> different install-so I expect the key to cause a warning.)
>
> On a impulse I scanned it. Mind you the whole lan is Linux, not a
> windows system in there at all not even to visit. But the nmap scan showed
> 137/tcp filtered netbios-ns
> 138/tcp filtered netbios-dgm
> 139/tcp filtered netbios-ssn

Hmmmm. Are you sure you don't have Samba running? I'd disable and
uninstall Samba on all machines, both the client and server, and use NFS or
something else.

>
> and more alarming a highport listening: 7597 which nmap told me was
> associated with something called qaz --a windows trojan.
> Now I've been unable to figure out anything amiss within the system but
> I am unable to get to it and do something forensic like run chkrootkit
> from a cd live distribution. (I ran chkrootkit but if it's on the same
> drive/running kernel image as the system being checked I don't know that
> you can trust it) Nmap run from within the suspected system doesn't show
> the same ports open (the netbios crap or the qaz thing).
>
> I have not been contacting the other systems behind this
> firewall/gateway because I have been afraid that if the gateway is
> compromised logging to the other systems will just give the attacker the
> correct password.
>
> Tonight I tested out another idea, that the netbios crap and the qaz are
> somehow showing up from the ISP or some other system between me and the
> remote system. I ran the same nmap scan (narrowed to just what i want to
> see) on a ip address part of the same ISP's dsl netblock.
> Sure enough that system has netbios ports open but filtered and qaz
> (7597) listening and filtered too.
> What gives?

Hmmm....

>
> Is the ISPs gateway system insecure or cracked?

Could be ...

> Is my password to the
> firewall compromised?

Could be ...

> any enlightenment appreciated
> ~/j.

Just make sure samba is NOT installed on ANY of your machines. That and the
lisa/lin-neighborhood stuff. Also, make sure that the firewalls on the
machines are not allowing those ports in, and that inetd/xinetd have not
got any listening ports on those ranges.

-- 
Small change can often be found under seat cushions.
                -- One of Lazarus Long's most penetrating insights


Relevant Pages

  • RE: Firewall / Internet Gateway Config Fails
    ... Firewall / Internet Gateway Config Fails ... all the machines on the lan are already configured to ...
    (RedHat)
  • Re: Question about using two sonicwalls in a network
    ... >> The Soho2/50 is the firewall that has the restrictions on it. ... >> WAN is one of the Public IP addresses provided by the ISP, and the LAN ... All of the computers that the execs wanted restricted access ... >> have their default gateway set to 10.0.0.1. ...
    (comp.security.firewalls)
  • dhcpd error message keeps appearing on screen
    ... machine that also acts as a gateway and firewall for a small LAN which has a ...
    (comp.unix.bsd.freebsd.misc)
  • Re: need help to setup wireless router behind another firewall
    ... > firewall box to be the gateway packet filter. ... trying to learn what comes out of the router so I could configure it ... all boxes on the LAN segment use static addresses. ...
    (comp.os.linux.networking)
  • Re: n00b ipf/ipnat questions
    ... Adding open port 32774/tcp ... >> ip of the webserver is aliased to the external nic on the gateway machine. ... the first being why - despite the firewall rules i have in place ... when i nmap the public ip of the webserver it shows me all ...
    (FreeBSD-Security)