tftp random connection. possible worm?
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: tftp random connection. possible worm?

  1. #1
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333

    tftp random connection. possible worm?

    as i was just installing battlefield1942 my sygate firewall prompted me to allow or deny access to trivial ftp to download from 68.148.192.255. i nmap'd it and it is up. i dont know what it was tryin to download from there or why. i know this is typical of blaster and other worms but im protected from all them. is there a new one that i am un aware of that uses tftp to download the actual worm? my firewall logs havent really showed any kind of suspicious scanning or anything really. i highly doubt battlefield1942 would download somethin like that. any suggestions? and i dont think its adware/spyware. thanks.

  2. #2
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    I have never had the game you are talking about, but could it be an update site for the game? Maybe they live update as you are installing it. Some one who has the game could probably be able to tell you.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  3. #3
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    no its nothin with battlefield. here are my results from nmap:

    C:\>nmap -sT -vv -P0 68.148.192.255

    Starting nmap V. 3.00 ( www.insecure.org/nmap )
    Host S010600104b9c3ef9.ed.shawcable.net (68.148.192.255) appears to be
    od.
    Initiating Connect() Scan against S010600104b9c3ef9.ed.shawcable.net (
    .255)
    Adding open port 139/tcp
    Adding open port 13705/tcp
    Adding open port 113/tcp
    Adding open port 1031/tcp
    The Connect() Scan took 889 seconds to scan 1601 ports.
    Interesting ports on S010600104b9c3ef9.ed.shawcable.net (68.148.192.25
    (The 1596 ports scanned but not shown below are in state: closed)
    Port State Service
    25/tcp filtered smtp
    113/tcp open auth
    139/tcp open netbios-ssn
    1031/tcp open iad2
    13705/tcp open VeritasNetbackup

    Nmap run completed -- 1 IP address (1 host up) scanned in 889 seconds


    when i telnet to port 113 i get this

    : USERID : UNIX : fuqbfvmb


    this is weird ive never seen any of this before but the "fuqbfvmb" is always different, its always different letters.when i telnet to that it sits like its not connecting, but i press enter or another key and it goes to that. then i have to push cntrl+] and it lets me get out. anyone seen anything like this before? im completely new to that telneting to the 113 auth port. it has netbios port open (139) but that auth thing sais its a unix computer, could that be samba or something?

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    since when do people use nmap to find out who somebody is. if you got the game off a file shareing network its probably a trojan.

    lets have a look:

    Trying 68.148.192 at ARIN

    OrgName: Shaw Communications Inc.
    OrgID: SHAWC
    Address: Suite 800
    Address: 630 - 3rd Ave. SW
    City: Calgary
    StateProv: AB
    PostalCode: T2P-4L4
    Country: CA

    ReferralServer: rwhois://rs1so.cg.shawcable.net:4321

    NetRange: 68.144.0.0 - 68.151.255.255
    CIDR: 68.144.0.0/13
    NetName: SHAW-COMM
    NetHandle: NET-68-144-0-0-1
    Parent: NET-68-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS2SO.CG.SHAWCABLE.NET
    NameServer: NS1SO.CG.SHAWCABLE.NET
    Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
    RegDate: 2002-06-03
    Updated: 2003-12-16

    OrgAbuseHandle: SHAWA-ARIN
    OrgAbuseName: SHAW ABUSE
    OrgAbusePhone: +1-403-750-7420
    OrgAbuseEmail: internet.abuse@sjrb.ca

    OrgTechHandle: ZS178-ARIN
    OrgTechName: Shaw High-Speed Internet
    OrgTechPhone: +1-403-750-7428
    OrgTechEmail: ipadmin@sjrb.ca


    Yup! unless the makers are using shaw cable! nope thats the case:

    Registrant:
    ELECTRONIC ARTS (EAGAMES-DOM)
    209 Redwood Shores Parkway
    REDWOOD CITY, CA 94065
    US

    Domain Name: EAGAMES.COM

    Administrative Contact, Technical Contact:
    ELECTRONIC ARTS (S4684-OR) hostmaster2@ea.com
    209 Redwood Shores Parkway
    REDWOOD CITY, CA 94065
    US
    650 628 7618 fax: 650 628 1331

    Record expires on 18-May-2006.
    Record created on 18-May-1999.
    Database last updated on 11-Jul-2004 01:42:35 EDT.

    Domain servers in listed order:

    SWDNS.EA.COM 159.153.197.89
    SEDNS.EA.COM 159.153.229.89


    add a ping to that:

    Ping eagames.com (159.153.253.110) ...
    1 Addr:159.153.253.110, RTT: 138ms, TTL: 53

    looks like you fell for downloading someones trojan but your not showing port 69 open for tftp.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  5. #5
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    i just bought the game tonight. i dont remember sayin i downloaded the game off kazaa or a peer to peer network or anything like that. its not the game for the 3rd time. not to be rude but i wanna emphasize i dont think its the game, at all. it just happend happen when i was installin it. i was wonderin if maybe it was a new worm goin around exploitin computers and openin remote shells and downloadin the worm like blaster and others did. if its the game then ok but i just doubt it is, if your right then im sorry. do the IP's of EA networks and 68.148.192.255 have any relation that you found? thanks for the input.

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    Sorry deftones! just that its common for downloaded software to be trojaned and you didnt say you purchased it. in a perfect world i suppose you shouldnt have to mention that but i dont know how many times ive seen it here. my appologies.

    i see on your nmap scan you do not show there is a tftp server (port 69) operating on the remote. try a udp scan because its open and running. on the info i posted there's an abuse email address. report them!

    what exactly does it say about the incident in sygates logs?
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  7. #7
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    just sais my computer was requesting a connection to that IP via tftp. im guessin it would be to download a worm or trojan, i dont know what else it would download. i was just wonderin if someone exploited my computer and caused it to try and download from that ip via tftp. is there any way i can check that to see if i was targeted and exploited? i dont know of any ways.

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by deftones12
    no its nothin with battlefield. here are my results from nmap:

    C:\>nmap -sT -vv -P0 68.148.192.255
    Great! You're doing a TCP scan. TFTP is UDP based. So this won't tell you if "they" have a tftpd running or not.

    tcp/113 is identd which could mean s/he has an IRC client running (with ident enabled).

    Based on tftp traffic and a possible IRC client running I'd say that box has been backdoored.

    deftones: If I were you I'd keep a sharp eye on your network traffic. It looks like you've been backdoored too.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    deftones: you haven't made it clear to me, whether the firewall detected an *incoming* TFTP request from an external machine, or an *outgoing* TFTP request from the local machine.

    I find it extremely unlikely that a game would use TFTP for updates, registration or anything else it might want to do.

    If it's an incoming connection, it's probably just somebody with a worm on their machine, don't give them a hard time, it isn't their fault (much).

    Some win32 worms have installed TFTP servers. They may try IPs at random looking for them later.

    Slarty

  10. #10
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    slarty i said my computer was tryin to use tftp to download somethin from that IP. Im protected to the known worms that use tftp to download worms and stuff, and i know its not the game,ive already said that. im clueless as to what it could be. i was just wonderin if it could be a new worm out that im unaware of and un-protected against. my firewall would block any incoming attacks like blaster and sasser did. Its only happend once, it hasnt happend since it did the first time the other night.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •