Re: Firewall trapping outbound probes to TCP 1120 from W2K gateway box

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 03/11/03 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Tue, 11 Mar 2003 08:10:46 -0500

Might not necessarily be anything malicious. Depending on the way your
network is set up, it could be absolutely normal for your gateway computer
to see messages between two internal computers and block this. I might
check both the source and destination machine using IPCONFIG /ALL or
WINIPCFG to confirm that the subnet mask and DNS server IP addresses are
correct, as these could cause internal traffic to be sent incorrectly to
your gateway.

As you may know, Windows chooses an ephemeral port above 1024 as the source
port when opening connections such as windows networking on TCP 139, and the
port number usually increases with each new connection. Eventually a
"suspicious" port number like 1243 is used as the source port. Also, when
the reply comes back, a firewall or IDS system may tell you that the
responding computer is scanning destination port 1243, when really it's just
a normal reply.... e.g. what looks like the destination port and IP address
are really the computer that started the connection.

I might check both computers to determine whether it is normal for one
computer to be initiating communcations with the other.

You might also:

1) try using a sniffer [or the www.sygate.com personal firewall] to inspect
the packet contents and try to determine what it is. An IDS like Snort
might not be a bad thing to start thinking about too. Also
www.mynetwatchman.com or www.dshield.org free software can help you by
letting you see whether a particular internet IP address is also scanning
other networks besides yours.

2) Check this out:

http://securityadmin.info/faq.htm#hacked [start here]
http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#harden [important too]

IMHO formatting and reinstalling does nothing to help if you didn't first
determine the source of the problem in order to determine what [if any]
security mistakes were made in order to avoid making them next time. A
freshly installed Linux or Windows computer is full of security holes, so it
is absolutely possible for a newly installed computer to be less secure
instead of more.

"Steve Griffiths" <steve@egsystems.co.uk> wrote in message
news:1613ad3f.0303110418.1fd6f08@posting.google.com...
> I have a PC set up as an internet gateway for my small LAN. The only
> software installed is W2Kpro, Trend PC-Cillin 2002 (av + firewall) and
> a D-Link NIC driver.
>
> Every couple of days, at random times, the firewall traps outbound
> probes to port 1120 normally from port 139 (netbios) or port 53 (dns).
> These are directed to other class-c addresses 192.168.x.x on my
> network, never to external IPs.
>
> The source port is the same as the last port accessed by the machine
> being probed - i.e. if a client workstation accesses the DNS service
> on port 53 then the probe will appear to come from port 53.
>
> More worryingly, the destination port is sometimes TCP 1243 (SubSeven)
> which I guess rules out any innocent explanation.
>
> The probe normally occurs as 16 scans in bursts of 4, at 3 second
> intervals, though occasionally I have seen variations on this after
> reinstalling W2K, but once the thing has established an attack
> pattern, it seems to stick to it.
>
> The firewall log shows the owning process as SVCHOST.EXE but I can't
> see anything running under SVCHOST that shouldn't be there.
>
> Neither the gateway PC (the 'attacker') nor any of the class-Cs are
> listening on any suspicious ports.
>
> I have torn down the gateway PC and reformatted the HD and reinstalled
> W2k several times but the problem always reoccurs. As I said, no
> applications or servers are running on this box except internet
> connection sharing and PC-Cillin 2002. I did install Tiny Personal
> Firewall at one point to confirm that the traffic was real and not in
> PC-Cillin's 'imagination' - and it did confirm that the traffic was
> real.
>
> So what the heck is it? It seems to be build-in to W2Kpro but only
> comes alive when you enable internet connection sharing.
>
> The only other possibility is that it is something to do with
> PC-Cillin 2002 (interestingly only PC-Cillin identifies port 1120 as
> Netbus AFAIK).
>
> I've run all the AV and anti-trojan tools I can get my hands on but
> nothing is ever found. The registry is clean, no unusual processes
> are running.
>
> I'm totally at a loss to explain what is going on here.
>
> Can anybody help?