Re: Firewall trapping outbound probes to TCP 1120 from W2K gateway box

From: Steve Griffiths (steve@egsystems.co.uk)
Date: 03/12/03 

From: steve@egsystems.co.uk (Steve Griffiths)
Date: 12 Mar 2003 01:44:23 -0800

Thanks Karl.

The incremental port number theory sounds likely. I'll test this by
setting firewall rules to block some ports just below and above the
'trojan' port numbers to see if they trigger.

As for reformatting and reinstalling, I agree that its not the best
forensic technique but it does rule out a lot of unknowns and was easy
to do as this is a bare bones gateway box. When the problem reoccured
after reinstalling W2K with just PCCillin and a NIC driver (and no
internet connection), logic dictated that it must be an interaction
between these three elements.

It most probably is a false positive, but the trouble with the
PCCillin firewall is that the blocked ports list is hard-coded AFAICT.
 This means I'll probably be using Tiny Personal Firewall and only the
AV part of PCCillin from now on.

I did email Trend Micro tech support asking why PCCillin alone
identifies 1120 as a NetBus port but they never replied!

Steve.

"Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message news:<#xQk4$85CHA.3276@TK2MSFTNGP11.phx.gbl>...
> Might not necessarily be anything malicious. Depending on the way your
> network is set up, it could be absolutely normal for your gateway computer
> to see messages between two internal computers and block this. I might
> check both the source and destination machine using IPCONFIG /ALL or
> WINIPCFG to confirm that the subnet mask and DNS server IP addresses are
> correct, as these could cause internal traffic to be sent incorrectly to
> your gateway.
>
> As you may know, Windows chooses an ephemeral port above 1024 as the source
> port when opening connections such as windows networking on TCP 139, and the
> port number usually increases with each new connection. Eventually a
> "suspicious" port number like 1243 is used as the source port. Also, when
> the reply comes back, a firewall or IDS system may tell you that the
> responding computer is scanning destination port 1243, when really it's just
> a normal reply.... e.g. what looks like the destination port and IP address
> are really the computer that started the connection.
>
> I might check both computers to determine whether it is normal for one
> computer to be initiating communcations with the other.
>
> You might also:
>
> 1) try using a sniffer [or the www.sygate.com personal firewall] to inspect
> the packet contents and try to determine what it is. An IDS like Snort
> might not be a bad thing to start thinking about too. Also
> www.mynetwatchman.com or www.dshield.org free software can help you by
> letting you see whether a particular internet IP address is also scanning
> other networks besides yours.
>
> 2) Check this out:
>
> http://securityadmin.info/faq.htm#hacked [start here]
> http://securityadmin.info/faq.htm#re-secure
> http://securityadmin.info/faq.htm#harden [important too]
>
> IMHO formatting and reinstalling does nothing to help if you didn't first
> determine the source of the problem in order to determine what [if any]
> security mistakes were made in order to avoid making them next time. A
> freshly installed Linux or Windows computer is full of security holes, so it
> is absolutely possible for a newly installed computer to be less secure
> instead of more.
>
>
> "Steve Griffiths" <steve@egsystems.co.uk> wrote in message
> news:1613ad3f.0303110418.1fd6f08@posting.google.com...
> > I have a PC set up as an internet gateway for my small LAN. The only
> > software installed is W2Kpro, Trend PC-Cillin 2002 (av + firewall) and
> > a D-Link NIC driver.
> >
> > Every couple of days, at random times, the firewall traps outbound
> > probes to port 1120 normally from port 139 (netbios) or port 53 (dns).
> > These are directed to other class-c addresses 192.168.x.x on my
> > network, never to external IPs.
> >
> > The source port is the same as the last port accessed by the machine
> > being probed - i.e. if a client workstation accesses the DNS service
> > on port 53 then the probe will appear to come from port 53.
> >
> > More worryingly, the destination port is sometimes TCP 1243 (SubSeven)
> > which I guess rules out any innocent explanation.
> >
> > The probe normally occurs as 16 scans in bursts of 4, at 3 second
> > intervals, though occasionally I have seen variations on this after
> > reinstalling W2K, but once the thing has established an attack
> > pattern, it seems to stick to it.
> >
> > The firewall log shows the owning process as SVCHOST.EXE but I can't
> > see anything running under SVCHOST that shouldn't be there.
> >
> > Neither the gateway PC (the 'attacker') nor any of the class-Cs are
> > listening on any suspicious ports.
> >
> > I have torn down the gateway PC and reformatted the HD and reinstalled
> > W2k several times but the problem always reoccurs. As I said, no
> > applications or servers are running on this box except internet
> > connection sharing and PC-Cillin 2002. I did install Tiny Personal
> > Firewall at one point to confirm that the traffic was real and not in
> > PC-Cillin's 'imagination' - and it did confirm that the traffic was
> > real.
> >
> > So what the heck is it? It seems to be build-in to W2Kpro but only
> > comes alive when you enable internet connection sharing.
> >
> > The only other possibility is that it is something to do with
> > PC-Cillin 2002 (interestingly only PC-Cillin identifies port 1120 as
> > Netbus AFAIK).
> >
> > I've run all the AV and anti-trojan tools I can get my hands on but
> > nothing is ever found. The registry is clean, no unusual processes
> > are running.
> >
> > I'm totally at a loss to explain what is going on here.
> >
> > Can anybody help?