-
July 11th, 2004, 04:53 AM
#1
tftp random connection. possible worm?
as i was just installing battlefield1942 my sygate firewall prompted me to allow or deny access to trivial ftp to download from 68.148.192.255. i nmap'd it and it is up. i dont know what it was tryin to download from there or why. i know this is typical of blaster and other worms but im protected from all them. is there a new one that i am un aware of that uses tftp to download the actual worm? my firewall logs havent really showed any kind of suspicious scanning or anything really. i highly doubt battlefield1942 would download somethin like that. any suggestions? and i dont think its adware/spyware. thanks.
-
July 11th, 2004, 05:00 AM
#2
I have never had the game you are talking about, but could it be an update site for the game? Maybe they live update as you are installing it. Some one who has the game could probably be able to tell you.
\"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
Author Unknown
-
July 11th, 2004, 05:09 AM
#3
no its nothin with battlefield. here are my results from nmap:
C:\>nmap -sT -vv -P0 68.148.192.255
Starting nmap V. 3.00 ( www.insecure.org/nmap )
Host S010600104b9c3ef9.ed.shawcable.net (68.148.192.255) appears to be
od.
Initiating Connect() Scan against S010600104b9c3ef9.ed.shawcable.net (
.255)
Adding open port 139/tcp
Adding open port 13705/tcp
Adding open port 113/tcp
Adding open port 1031/tcp
The Connect() Scan took 889 seconds to scan 1601 ports.
Interesting ports on S010600104b9c3ef9.ed.shawcable.net (68.148.192.25
(The 1596 ports scanned but not shown below are in state: closed)
Port State Service
25/tcp filtered smtp
113/tcp open auth
139/tcp open netbios-ssn
1031/tcp open iad2
13705/tcp open VeritasNetbackup
Nmap run completed -- 1 IP address (1 host up) scanned in 889 seconds
when i telnet to port 113 i get this
: USERID : UNIX : fuqbfvmb
this is weird ive never seen any of this before but the "fuqbfvmb" is always different, its always different letters.when i telnet to that it sits like its not connecting, but i press enter or another key and it goes to that. then i have to push cntrl+] and it lets me get out. anyone seen anything like this before? im completely new to that telneting to the 113 auth port. it has netbios port open (139) but that auth thing sais its a unix computer, could that be samba or something?
-
July 11th, 2004, 06:44 AM
#4
since when do people use nmap to find out who somebody is. if you got the game off a file shareing network its probably a trojan.
lets have a look:
Trying 68.148.192 at ARIN
OrgName: Shaw Communications Inc.
OrgID: SHAWC
Address: Suite 800
Address: 630 - 3rd Ave. SW
City: Calgary
StateProv: AB
PostalCode: T2P-4L4
Country: CA
ReferralServer: rwhois://rs1so.cg.shawcable.net:4321
NetRange: 68.144.0.0 - 68.151.255.255
CIDR: 68.144.0.0/13
NetName: SHAW-COMM
NetHandle: NET-68-144-0-0-1
Parent: NET-68-0-0-0-0
NetType: Direct Allocation
NameServer: NS2SO.CG.SHAWCABLE.NET
NameServer: NS1SO.CG.SHAWCABLE.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-06-03
Updated: 2003-12-16
OrgAbuseHandle: SHAWA-ARIN
OrgAbuseName: SHAW ABUSE
OrgAbusePhone: +1-403-750-7420
OrgAbuseEmail: internet.abuse@sjrb.ca
OrgTechHandle: ZS178-ARIN
OrgTechName: Shaw High-Speed Internet
OrgTechPhone: +1-403-750-7428
OrgTechEmail: ipadmin@sjrb.ca
Yup! unless the makers are using shaw cable! nope thats the case:
Registrant:
ELECTRONIC ARTS (EAGAMES-DOM)
209 Redwood Shores Parkway
REDWOOD CITY, CA 94065
US
Domain Name: EAGAMES.COM
Administrative Contact, Technical Contact:
ELECTRONIC ARTS (S4684-OR) hostmaster2@ea.com
209 Redwood Shores Parkway
REDWOOD CITY, CA 94065
US
650 628 7618 fax: 650 628 1331
Record expires on 18-May-2006.
Record created on 18-May-1999.
Database last updated on 11-Jul-2004 01:42:35 EDT.
Domain servers in listed order:
SWDNS.EA.COM 159.153.197.89
SEDNS.EA.COM 159.153.229.89
add a ping to that:
Ping eagames.com (159.153.253.110) ...
1 Addr:159.153.253.110, RTT: 138ms, TTL: 53
looks like you fell for downloading someones trojan but your not showing port 69 open for tftp.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
July 11th, 2004, 07:43 AM
#5
i just bought the game tonight. i dont remember sayin i downloaded the game off kazaa or a peer to peer network or anything like that. its not the game for the 3rd time. not to be rude but i wanna emphasize i dont think its the game, at all. it just happend happen when i was installin it. i was wonderin if maybe it was a new worm goin around exploitin computers and openin remote shells and downloadin the worm like blaster and others did. if its the game then ok but i just doubt it is, if your right then im sorry. do the IP's of EA networks and 68.148.192.255 have any relation that you found? thanks for the input.
-
July 11th, 2004, 06:42 PM
#6
Sorry deftones! just that its common for downloaded software to be trojaned and you didnt say you purchased it. in a perfect world i suppose you shouldnt have to mention that but i dont know how many times ive seen it here. my appologies.
i see on your nmap scan you do not show there is a tftp server (port 69) operating on the remote. try a udp scan because its open and running. on the info i posted there's an abuse email address. report them!
what exactly does it say about the incident in sygates logs?
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
July 12th, 2004, 03:34 AM
#7
just sais my computer was requesting a connection to that IP via tftp. im guessin it would be to download a worm or trojan, i dont know what else it would download. i was just wonderin if someone exploited my computer and caused it to try and download from that ip via tftp. is there any way i can check that to see if i was targeted and exploited? i dont know of any ways.
-
July 12th, 2004, 01:34 PM
#8
Originally posted here by deftones12
no its nothin with battlefield. here are my results from nmap:
C:\>nmap -sT -vv -P0 68.148.192.255
Great! You're doing a TCP scan. TFTP is UDP based. So this won't tell you if "they" have a tftpd running or not.
tcp/113 is identd which could mean s/he has an IRC client running (with ident enabled).
Based on tftp traffic and a possible IRC client running I'd say that box has been backdoored.
deftones: If I were you I'd keep a sharp eye on your network traffic. It looks like you've been backdoored too.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
July 12th, 2004, 11:21 PM
#9
deftones: you haven't made it clear to me, whether the firewall detected an *incoming* TFTP request from an external machine, or an *outgoing* TFTP request from the local machine.
I find it extremely unlikely that a game would use TFTP for updates, registration or anything else it might want to do.
If it's an incoming connection, it's probably just somebody with a worm on their machine, don't give them a hard time, it isn't their fault (much).
Some win32 worms have installed TFTP servers. They may try IPs at random looking for them later.
Slarty
-
July 12th, 2004, 11:40 PM
#10
slarty i said my computer was tryin to use tftp to download somethin from that IP. Im protected to the known worms that use tftp to download worms and stuff, and i know its not the game,ive already said that. im clueless as to what it could be. i was just wonderin if it could be a new worm out that im unaware of and un-protected against. my firewall would block any incoming attacks like blaster and sasser did. Its only happend once, it hasnt happend since it did the first time the other night.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|