Firewall trapping outbound probes to TCP 1120 from W2K gateway box
From: Steve Griffiths (steve@egsystems.co.uk)
Date: 03/11/03
- Next message: avi azerrad: "ras between 2 forests -how,please help !!"
- Previous message: Viswanath Neelavalli: "VPN Configuration.."
- Next in thread: Karl Levinson [x y] mvp: "Re: Firewall trapping outbound probes to TCP 1120 from W2K gateway box"
- Reply: Karl Levinson [x y] mvp: "Re: Firewall trapping outbound probes to TCP 1120 from W2K gateway box"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: steve@egsystems.co.uk (Steve Griffiths) Date: 11 Mar 2003 04:18:09 -0800
I have a PC set up as an internet gateway for my small LAN. The only
software installed is W2Kpro, Trend PC-Cillin 2002 (av + firewall) and
a D-Link NIC driver.
Every couple of days, at random times, the firewall traps outbound
probes to port 1120 normally from port 139 (netbios) or port 53 (dns).
These are directed to other class-c addresses 192.168.x.x on my
network, never to external IPs.
The source port is the same as the last port accessed by the machine
being probed – i.e. if a client workstation accesses the DNS service
on port 53 then the probe will appear to come from port 53.
More worryingly, the destination port is sometimes TCP 1243 (SubSeven)
which I guess rules out any innocent explanation.
The probe normally occurs as 16 scans in bursts of 4, at 3 second
intervals, though occasionally I have seen variations on this after
reinstalling W2K, but once the thing has established an attack
pattern, it seems to stick to it.
The firewall log shows the owning process as SVCHOST.EXE but I can't
see anything running under SVCHOST that shouldn't be there.
Neither the gateway PC (the 'attacker') nor any of the class-Cs are
listening on any suspicious ports.
I have torn down the gateway PC and reformatted the HD and reinstalled
W2k several times but the problem always reoccurs. As I said, no
applications or servers are running on this box except internet
connection sharing and PC-Cillin 2002. I did install Tiny Personal
Firewall at one point to confirm that the traffic was real and not in
PC-Cillin's 'imagination' – and it did confirm that the traffic was
real.
So what the heck is it? It seems to be build-in to W2Kpro but only
comes alive when you enable internet connection sharing.
The only other possibility is that it is something to do with
PC-Cillin 2002 (interestingly only PC-Cillin identifies port 1120 as
Netbus AFAIK).
I've run all the AV and anti-trojan tools I can get my hands on but
nothing is ever found. The registry is clean, no unusual processes
are running.
I'm totally at a loss to explain what is going on here.
Can anybody help?
- Next message: avi azerrad: "ras between 2 forests -how,please help !!"
- Previous message: Viswanath Neelavalli: "VPN Configuration.."
- Next in thread: Karl Levinson [x y] mvp: "Re: Firewall trapping outbound probes to TCP 1120 from W2K gateway box"
- Reply: Karl Levinson [x y] mvp: "Re: Firewall trapping outbound probes to TCP 1120 from W2K gateway box"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
