Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Distributed FTP/Port 21 scan follow-up; Port 23 scan increases; InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Distributed FTP/Port 21 scan follow-up; Port 23 scan increases;

Published: 2004-07-11
Last Updated: 2004-07-13 19:33:08 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Distributed FTP/Port 21 scan follow-up;

FTP/Port 21 scanning is up (link below) and University admins reading the Handlers Diary have submitted additional logs and supplemental information concerning the apparent distributed ftp scan activity reported earlier (links below). At this time there are no reports other than those from Universities. Passwords used by different scanners were reported to be English, French and German. There was only one correlation between the logs that I examined, ftp scans originating from IP address 17.128.241.141 (ABordeaux-202-1-1-141.w217-128.abo.wanadoo.fr). The offending IP had not been recently reported to DShield (link below).

REFERENCES;
FTP Scans - Universities only?

http://isc.sans.org/diary.php?isc=eb1620f23c097308c2d324fb7898cf4a
Distributed FTP Brute Force Scans - Is radmin back?
"in addition, the source addresses for the attack were different at all three institutions."

http://isc.sans.org/diary.php?date=2004-07-09
DShield Profile of
217.128.241.141:


http://www.dshield.org/ipinfo.php?ip=217.128.241.141&summary=Y&SANSDSHIELD=80c34297e18ce75c44cb37e8db4b5895
DShield Port 21 activity trending up;

http://www.dshield.org/port_report.php?port=21&recax=1&tarax=2&srcax=2&percent=N&days=65&Redraw=Submit+Query

Port 23 scan increases;

Another Diary reader submitted interesting information on what "looks a lot like a distributed telnet scan. 10 different (or 1 spoofed ?) sources, connecting at almost the same time, each trying 2 times."
DShield Port 21 activity trending up;

http://www.dshield.org/port_report.php?port=23&recax=1&tarax=2&srcax=2&percent=N&days=120&Redraw=Submit+Query

MS Internet Connection Firewall (ICF) renamed "Windows Firewall" in XPSP2, firewall rules edited in INF file;

White Paper information includes that post SP2 "the location of the Windows Firewall INF file is: %windir%\Inf\Netfw.inf" and installation modifications to the firewall ruleset can be accomplished by following a few simple steps ... with the final step "Run the command netsh firewall reset on the computer running Windows XP SP2. This can be done manually by entering the command at a command prompt or by including the command in a run-once script." From the whitepaper "Using the Windows Firewall INF File in Microsoft Windows XP Service Pack 2

http://www.microsoft.com/downloads/details.aspx?FamilyID=cb307a1d-2f97-4e63-a581-bf25685b4c43&DisplayLang=en

lessons learned(?);

While researching other "Diary" security issues I ran across this less than well publicized case from earlier in the year. As a fwiw I include it as a "lessons learned" item for your consideration ... "Among those outside computers was a computer box BORGHARD was surreptitiously controlling as a "slave" intermediary computer from a remote location. That "slave" computer was sitting, unnoticed but nevertheless under operation by BORGHARD, in BORGHARD's former cubicle at a company where BORGHARD had worked prior to joining Netline." And here I have to ask, if they didn't notice the extra box in "BORGHARD's former cubicle", do you think anyone physically checked for any KeyCatchers left attached to sensitive systems, to have been "read"
from the slave?
http://www.cybercrime.gov/borghardSent.htm

Patrick Nolan with nice assists from multiple University admins, John Bambanek (FTP), Chris Carboni (FTP), Tom Liston (Help needed) and Joshua Wright (Help needed)
Keywords:
0 comment(s)
Diary Archives