Re: Is this a virus?

• Previous message: Michael: "Is this a virus?"
• In reply to: Michael: "Is this a virus?"
• Next in thread: Nils Petter Vaskinn: "Re: Is this a virus?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 11 Mar 2004 06:41:22 -0700

Michael wrote:

> Linux gateway = Redhat
> Suspect Computer = WinNT Workstation
>
> I have recently checked my firewall logs and discovered that one of my
> computers is trying to do netbios name server lookups on tcp port 137 with
> random [as far as I can tell] remote hosts. Example from the logs are at
> the end of ths post. It tries the same IP address 3 times then tries
> another. It does this a couple of times a day. This appears to be virus
> like activity - I get them incoming all the time.

Well NetBIOS also does random lookups on its own AFAIK. Windows filesharing
computers (i.e. anything using NetBIOS) are leaky -- they flood my logs
with those lookups as well. However, NetBIOS should *NOT* be allowed out
onto the internet, so as long as it's staying within your LAN then you're
fine.

>
> Only one of the windows machines is doing it. The rest are not so it
> appears that either its not trying to infect them or its very OS specific
> [I only have one NT workstation].

Sounds normal. However, worms / viruses / trojans have also been known to
do random lookups on 137 as well, but I don't think it's that.

>
> I assumed it was a virus so I ran a full system scan with Nortons (after
> ensuring the definitions were up to date) - nothing found.

Then it's not a virus.

>
> I then suspected it may be a adware thing so I ran Spybot - found nothing.

Then it's not adware/spyware.

>
> There are no visible processes running I cannot account for, Spybot finds
> no
> active X or BHOs I cannot account for. There is nothing in the usual
> regisry positions I cannot account for (\run & \runservices)
>
> ZoneAlarm does not show any programs trying to access the internet that I
> have not authorised.

Is local LAN set to trusted?

>
> I am pretty much stumped.
>
> The system is NT4 Workstation Build 1381 SP6 (I have 6a installed). IE
> Version6 SP1 and system is up to date with critical patches according to
> Microsoft.
>
> Any suggestions about what could be causing this would be appraciated.
> The only thing I can think of is the system has been rootkited and hiding
> bad processes and files but don't know how to check for this.
>
> In the meantime I want to cut it off from the outside world. I have
> implemented egress filtering on the gateway but am concerned that it
> cannot
> distinguish a mass mailer from an ordinary mailing programm. I intend to
> assign a random tcp port to outgoing mail in the email client and have
> iptables redirect the port to 25 before trying to contact the server. I
> can
> then block port 25 coming from internal machines. I am not quite sure how
> to do the iptables script for this. Any suggestions?
>
> Michael
>
> (example iptables log lines)
>
> Mar 3 16:43:08 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
> DST=64.15.229.69 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=45909 PROTO=UDP
> SPT=137 DPT=137 LEN=58

Now THAT is not cool -- it's trying to access internet. I gather that your
LAN address is 172.16.0.x, correct?

> Mar 3 16:43:10 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
> DST=64.15.229.69 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=46165 PROTO=UDP
> SPT=137 DPT=137 LEN=58
> Mar 3 16:43:11 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
> DST=64.15.229.69 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=46421 PROTO=UDP
> SPT=137 DPT=137 LEN=58
> Mar 3 16:43:13 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
> DST=64.15.229.70 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=47189 PROTO=UDP
> SPT=137 DPT=137 LEN=58
> Mar 3 16:43:15 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
> DST=64.15.229.70 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=47445 PROTO=UDP
> SPT=137 DPT=137 LEN=58
> Mar 3 16:43:16 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
> DST=64.15.229.70 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=47701 PROTO=UDP
> SPT=137 DPT=137 LEN=58
>
> (Outgoing IP Counts)
> Further to this below is a count of the destination addresses and the
> counts
> for connection attempts the last few weeks. It seems to try
> semiconsecutive addresses in an IP/24 range and then head off for another
> like many viruses I have heard of.

All I know is that it should NOT be trying to access other computers on the
internet with that. Your gateway to the internet should be blocking
incoming 137-139,445 and outgoing 137-139,445 (which are the netbios
ports), both UDP and TCP versions.

>
> DST=IPADDRESS Count
> DST=12.130.12.31 3
> DST=144.135.18.10 3
> DST=144.135.19.10 3
> DST=144.135.8.144 21
> DST=144.135.8.150 36
> DST=144.135.8.152 36
> DST=144.135.8.158 30
> DST=144.135.8.159 3
> DST=144.135.8.160 3
> DST=144.135.8.168 12
> DST=144.135.8.169 42
> DST=144.135.8.175 36
> DST=144.135.8.185 36
> DST=144.140.29.203 3
> DST=192.168.1.1 3
> DST=192.43.230.1 3
> DST=195.141.106.190 3
> DST=195.141.106.191 3
> DST=203.49.108.34 27
> DST=205.217.153.53 3
> DST=205.217.153.54 3
> DST=207.46.197.85 3
> DST=212.113.20.69 3
> DST=216.13.169.244 3
> DST=216.239.53.99 3
> DST=216.239.57.104 3
> DST=216.239.57.99 3
> DST=64.14.128.202 3
> DST=64.15.229.69 33
> DST=64.15.229.70 27
> DST=64.15.229.71 33
> DST=64.15.229.72 24
> DST=64.69.191.202 33
> DST=64.69.191.203 24
> DST=64.94.110.12 3
> DST=66.161.19.11 3
> DST=69.2.40.97 3

-- 
Authors (and perhaps columnists) eventually rise to the top of whatever
depths they were once able to plumb.
                -- Stanley Kaufman

• Previous message: Michael: "Is this a virus?"
• In reply to: Michael: "Is this a virus?"
• Next in thread: Nils Petter Vaskinn: "Re: Is this a virus?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]