Incidents
Source port 445,80 Sep 05 2007 10:47AM
Wong Yu Liang (wong yuliang vads com) (1 replies)
Re: Source port 445,80 Sep 05 2007 09:36PM
Valdis Kletnieks vt edu (1 replies)
RE: Source port 445,80 Sep 06 2007 04:17AM
Wong Yu Liang (wong yuliang vads com) (2 replies)
Re: Source port 445,80 Sep 07 2007 07:24AM
scott (redhowlingwolves bellsouth net)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would suggest trying to isolate the box that is sending these
scans.It has characteristics of a worm,obviously.

The switch or router that is seeing this traffic would be where I
would start looking.

If you can find what part of the network it originates from,maybe you
can find the box that is doing the scans.

Just a thought,
redhowlingwolves
Wong Yu Liang wrote:
> Thanks valdis I suspected so. Possibly a worm propagation and the
> ips detected the *return* traffic. But yet the alerts from my ips
> is very strange. Some alerts
>
> 172.16.1.254:80 -> 172.17.17.103:1434 MSSQL buffer overflow
> detected 172.16.1.254:80 -> 172.17.17.103:1434 MSSQL buffer
> overflow detected 172.16.1.254:80 -> 172.17.17.103:1434 MSSQL
> buffer overflow detected 172.16.1.254:80 -> 172.17.17.103:1434
> MSSQL buffer overflow detected 172.16.1.254:80 ->
> 172.17.17.103:1434 MSSQL buffer overflow detected 172.16.1.254:80
> -> 172.17.17.103:1434 MSSQL buffer overflow detected
> 172.16.1.254:80 -> 172.17.17.103:1434 MSSQL buffer overflow
> detected 172.16.1.254:80 -> 172.17.17.103:1434 MSSQL buffer
> overflow detected 172.16.1.254:80 -> 172.17.17.16:1434 MSSQL buffer
> overflow detected 172.16.1.254:80 -> 172.17.17.16:1434 MSSQL buffer
> overflow detected 172.16.1.254:80 -> 172.17.17.16:1434 MSSQL buffer
> overflow detected 172.16.1.254:80 -> 172.17.17.16:1434 MSSQL buffer
> overflow detected 172.16.1.254:80 -> 172.17.17.16:1434 MSSQL buffer
> overflow detected 172.16.1.254:80 -> 172.17.17.16:1434 MSSQL buffer
> overflow detected
>
> And the list goes on to different destination IP addres
>
>
>
> -----Original Message----- From: Valdis.Kletnieks (at) vt (dot) edu [email concealed]
> [mailto:Valdis.Kletnieks (at) vt (dot) edu [email concealed]] Sent: Thursday, September 06, 2007
> 5:36 AM To: Wong Yu Liang Cc: incidents (at) securityfocus (dot) com [email concealed] Subject:
> Re: Source port 445,80
>
> On Wed, 05 Sep 2007 18:47:42 +0800, Wong Yu Liang said:
>
>> Lately I've been getting a lot of awkward alerts with source port
>>
> 445.
>> A few different source IP is connecting to one single IP from the
>> source port 445 , to random destination high ports.
>
> Is the destination IP address one that could conceivably be calling
> the *source* IPs on those ports, and you're looking at the
> *return* traffic?
>
> If so, it could be that the destination IP is being tricked into
> visiting malicious websites and the like, and what you're seeing is
> the website sending more malware down the now-open connection....
>
> (Just asking, because for a *long* time, we had to keep a canned
> response form for "ntp-1.vt.edu is hacking my ports from its port
> 123" complaints. Of course, the *real* story was they enabled NTP,
> sent us a packet - and then their firewall software triggered on
> the reply).
>
> ------------------------------------------------------------------------
-
> This list sponsored by: SPI Dynamics
>
> ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper
> It's as simple as placing additional SQL commands into a Web Form
> input box giving hackers complete access to all your backend
> systems! Firewalls and IDS will not stop such attacks because SQL
> Injections are NOT seen as intruders. Download this *FREE* white
> paper from SPI Dynamics for a complete guide to protection!
>
> https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8
E
>
> ------------------------------------------------------------------------
--
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG4PzIsrt057ENXO4RAtQvAJ40Y/d8C3hqNvcp4mG5R0vHRzORSwCfdiYe
GURflq2IDdRUFVd5i4L+ONE=
=D0Ju
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
-
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper
It's as simple as placing additional SQL commands into a Web Form input box
giving hackers complete access to all your backend systems! Firewalls and IDS
will not stop such attacks because SQL Injections are NOT seen as intruders.
Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8
E
------------------------------------------------------------------------
--

[ reply ]
Re: Source port 445,80 Sep 06 2007 04:55PM
Valdis Kletnieks vt edu (1 replies)
RE: Source port 445,80 Sep 07 2007 01:05AM
Wong Yu Liang (wong yuliang vads com) (1 replies)
Re: Source port 445,80 Sep 07 2007 04:15AM
Valdis Kletnieks vt edu


 

Privacy Statement
Copyright 2010, SecurityFocus