Maybe its that new worm ....
http://securityresponse.symantec.com...32.setclo.html
It trys to copy itself to open network shares...
And we all know how many open boxes there are out there :rolleyes:
MLF
Printable View
Maybe its that new worm ....
http://securityresponse.symantec.com...32.setclo.html
It trys to copy itself to open network shares...
And we all know how many open boxes there are out there :rolleyes:
MLF
I went over my logs and looked at the eight enteries over the last two days. One is from New Jersey, one from Asia, and the other six are from the RIPE network in Amsterdam. I guess I am going to have to go back through and look over these enteries a little more closely.
For your enjoyment here are those eight enteries.
[11/30/2004 13:05:08.58] Blocked - Port Scan Attack - src_ip=193.255.230.36:2963 - dst_ip=000.000.000.000:34956 - TCP
[11/29/2004 21:52:13.62] Blocked - Port Scan Attack - src_ip=217.81.156.141:3339 - dst_ip=000.000.000.000:34956 - TCP
[11/29/2004 19:51:57.62] Blocked - Port Scan Attack - src_ip=24.131.60.255:1143 - dst_ip=000.000.000.000:34956 - TCP
[11/29/2004 12:02:17.11] Blocked - Port Scan Attack - src_ip=217.208.185.22:2788 - dst_ip=000.000.000.000:34956 - TCP
[11/29/2004 14:02:32.31] Blocked - Port Scan Attack - src_ip=82.252.239.226:3204 - dst_ip=000.000.000.000:34956 - TCP
[11/29/2004 15:50:08.76] Blocked - Port Scan Attack - src_ip=81.51.238.63:3544 - dst_ip=000.000.000.000:34956 - TCP
[11/29/2004 06:00:09.37] Blocked - Port Scan Attack - src_ip=140.117.64.171:4582 - dst_ip=000.000.000.000:34956 - TCP
[11/29/2004 08:01:41.96] Blocked - Port Scan Attack - src_ip=85.64.171.158:4864 - dst_ip=000.000.000.000:34956 - TCP
Happy hunting.
Merlin775
i tried tracing those IP'S three of them turn out to be from netherlands.i had similar problem a month back someone from netherlands tried to connect to one of my system ports but most interestingly my internet connetion is a non tax paid i mean it is illegal no global ip address i am connected to internet through a LAN still whoever it was he was able to get my IP address and tried to connect to some port number(don't remember).
Merlin775 have you been using any security scanners or port scanner or any related tools recently?
nc -L -p34956 >>listen.txt
start a netcat server listening on that port, open the fw to it...and see what you get!
I have not been running any scanners or anything of the sort recently. Work is simply to busy right now to do the extra fun things on our servers.
Tebob - You lost me so I am going to have to spend some time looking up what you posted. Any newbie advice for your post would be appreciated.
Merlin775
[-edit-]
I just found the PR Parser tool in windows. How does it rate for doing what I am asking? Further, I just read the tutorial on here that mentions netcat and was wondering. If I open this port on my firewall to find out what this connection is doing then aren't I opening my system to this? Meaning I am now unprotected and in danger of system problems.
This is a first for me so all advice is appreciated.
I recently left a box kinda "lying around" out there with ethereal running to see what I got.... Seehere.
Having been a bit busy since starting this I have to say I noted a lot of connection attempts in the 34xxx range, (the details elude me right now and my work box is being er.... fixed....), so I can't be precise but it was a range up there a few days ago. My firewall logs were confirming this too.
Just a note to add.....
http://www.securityfocus.com/tools/139/scoreit
very simply put netcat is a command line utility that can be made to send too or listen on any port.
started like this "nc -L -p34956 >>listen.txt" it will listen on port 34956 and redirect its output (which is anything thats sent to it) to a text file called listen.txt so any attempts to log-on or commands sent to it will be recorded.
with the amount of info im finding about the use of this port ...if your really curious this might be the only way to find out anything.
it could be a port used by a warez ftp server. warez gangs are always looking for the other gangs servers. but it really could be anything.
just saw your addition. i dont really feel this would be a threat to security. its not like your opening a shell. all that can be done to netcat is to crash it with a flood of info and then the ports not open any more. now if you set netcat up to start cmd.exe when a connection is made then you have problems.
i like tiger sharks idea...gonna look into that!
Merlin775 can you search your computer for sysman32.exe
New?!? Discovery date is 21st of june.......Quote:
Originally posted here by morganlefay
Maybe its that new worm ....
http://securityresponse.symantec.com...32.setclo.html
http://vil.nai.com/vil/content/v_126342.htm
Therefor it would use ports 135-139 and/or 445, not port 34956.Quote:
It trys to copy itself to open network shares...
There's no mention of a backdoor being installed by this worm.
littlenick >> No, I don't have any copies of that file on my servers.
Tedob1 >> Thanks for the answer, I am reading your tutorials now. I also like Tiger Shark's idea and am going to look into that. I could take one of our old machines that are no longer in use and place it outside the firewall. I like that idea a lot actually.
I have a lot of 3xxxx range hits on my wall. Our e-mail service provider uses a host that tries to connect in that range to run a connection optimization program of their design. However that always runs on one of three IP address so they are easy to distinguish.
Merlin775