Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Connection between Nimda & Port 1027

  1. #1
    Junior Member
    Join Date
    May 2002
    Posts
    4

    Exclamation Connection between Nimda & Port 1027

    I need some help. I have been notified that Nimda .gen@MM & Nimda.eml has affected a couple of Win2K & NT 4(sp6) machines that are used for web development. The machines were cleaned with McAfee Netshield and files cleaned or deleted, at which point the issue was closed.

    Curious as to whether the virus was removed or simply the infected files cleaned, I did a port scan on a couple of machines. All machines which had been infected now have port 1027 ICQ? open whereas uninfected machines don't. I have done a search on Google, looked through Symantec & McAfee documentation and don't see a connection between the issues.

    Port 1027 is unassigned, but sometimes is dynamically selected for printing on a Win2K server (http://support.microsoft.com/default...en-us;Q179156&). But since these particular servers are back-up/development servers and no one is printing from them, it cannot be the case. Which leaves the alternative of a trojan, which would not be a surprise at this point.

    Is it possible that there is a connection between the virus and open port or is it two unrelated issues?

    Any advice would be appreciated!

    BTW: All servers running IIS have MS02-018 - *** IIS Patch Applied

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    371
    Hi miwebgal,

    We had a similiar problem with a few cowboy web designers putting their own web servers on our Internal network without any hardening.

    For web servers especially running IIS, M$ have an IIS lockdown tool which supposedly elimanates all security vulnerabilities associated with IIS (yes I know, using "M$" and "Security" in the same sentance is a bit of an oxymoron).

    Anway, you can find info and the tool at the following link:

    http://www.microsoft.com/technet/tre...s/locktool.asp
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  3. #3
    Junior Member
    Join Date
    Sep 2001
    Posts
    2
    As with any M$ patch cross your fingers when using the IIS Lockdown tool I have heard that it locks it down too much...so if your running OWA make sure you can access everything.

    Regards.

  4. #4
    Senior Member
    Join Date
    Oct 2001
    Posts
    255
    i had 1027 and 1028 open, is that nimda?
    the system crashed allot, and they used bearshare.

    Preep
    http://www.attrition.org/gallery/computing/forum/tn/youarenot.gif.html

  5. #5
    Junior Member
    Join Date
    May 2002
    Posts
    4

    We have discovered similar "cowboys" in our organization except they are not even developers and have installed servers in remote locations on our network!

    I have carefully configured IIS to only use what I am required for the applications, but it couldn't hurt to run the lockdown tool on the development servers to see if it finds anything else. I'll try that tomorrow am. THe other issue we discovered is that some of the Network Admin servers were running IIS even though they don't need to. I told them to disable IIS on their machines, since they don't need it. Should I run Lockdown there too? I wasn't sure whether to uninstall or lockdown.

    Still no ideas on the port/Nimda thing....

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    371
    Still no ideas on the port/Nimda thing....
    I personally have never heard of the Nimda virus opening up these ports. But that is assuming that the virus you have is Nimda.

    I told them to disable IIS on their machines, since they don't need it. Should I run Lockdown there too?
    Viruses such as these expolit the vulnerabilities associated with IIS. Disabling IIS is probably the best thing to prevent these infections happening again.

    Also, if you havent done so already, I would start developing a Win2K/NT4 server hardening document that should be carried out on all servers on ones internal network. All services not specifically required for that server to do its task should be disabled.
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  7. #7
    I did a little bit of research, and I couldn't find any known trojan or otherwise, which operates on a default port of 1027. However ICQ does in fact run on port 1027, which is suspicious because some trojans have a feature that allows it's users to be notified via ICQ if the trojan has been executed by the victim.

    Some sites I came across:

    http://www.iana.org/assignments/port-numbers

    http://www.simovits.com/sve/nyhetsar...heter9902.html

    Hope this helps.

  8. #8
    obviously nimda runs through IIS...however if nimda got in its quite possible that anyone else could have gotten in too. have you figured out whats runnin on that port? try to web browse to it? or get fport from www.foundstone.com and run that.

  9. #9
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    nimda can spread through netbios shares and through you domain and as well as through email and tftp. I am wanting to say I remember 1027 being tied to something that is standard in microsoft (like a share), but like angry bob said, use fport and then all the guess work isn't necessary.


    Neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  10. #10
    Junior Member
    Join Date
    May 2002
    Posts
    4

    Port Scan

    I did a port scan with the Foundstone tool the other day which is how I discovered the open port. The value that is returned is 1027 ICQ?. I did a port scan on the machines which were never infected and that port is not open. The servers that are affected host varied applications

    I was aware that some trojans use ICQ to send information to others. Our Virus Scans are coming back clean and with the most current .dat file. Since that port is not used for a particular trojan, I am working on figuring out what information is actually traveling through that port. We are researching a way to tie port 1027 to the process it is running on the server. Any thoughts?

    I went to Foundstone's site and am downloading all of the tools. I had only been using SuperScan to do Port scans. I'll try FPort and see what I come up with.

    Sorry if I'm a bit slow!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •