tftp random connection. possible worm?

[deftones12]

as i was just installing battlefield1942 my sygate firewall prompted me to allow or deny access to trivial ftp to download from 68.148.192.255. i nmap'd it and it is up. i dont know what it was tryin to download from there or why. i know this is typical of blaster and other worms but im protected from all them. is there a new one that i am un aware of that uses tftp to download the actual worm? my firewall logs havent really showed any kind of suspicious scanning or anything really. i highly doubt battlefield1942 would download somethin like that. any suggestions? and i dont think its adware/spyware. thanks.

[moxnix]

I have never had the game you are talking about, but could it be an update site for the game? Maybe they live update as you are installing it. Some one who has the game could probably be able to tell you.

[deftones12]

no its nothin with battlefield. here are my results from nmap:

C:\>nmap -sT -vv -P0 68.148.192.255

Starting nmap V. 3.00 ( www.insecure.org/nmap )
Host S010600104b9c3ef9.ed.shawcable.net (68.148.192.255) appears to be
od.
Initiating Connect() Scan against S010600104b9c3ef9.ed.shawcable.net (
.255)
Adding open port 139/tcp
Adding open port 13705/tcp
Adding open port 113/tcp
Adding open port 1031/tcp
The Connect() Scan took 889 seconds to scan 1601 ports.
Interesting ports on S010600104b9c3ef9.ed.shawcable.net (68.148.192.25
(The 1596 ports scanned but not shown below are in state: closed)
Port State Service
25/tcp filtered smtp
113/tcp open auth
139/tcp open netbios-ssn
1031/tcp open iad2
13705/tcp open VeritasNetbackup

Nmap run completed -- 1 IP address (1 host up) scanned in 889 seconds


when i telnet to port 113 i get this

: USERID : UNIX : fuqbfvmb


this is weird ive never seen any of this before but the "fuqbfvmb" is always different, its always different letters.when i telnet to that it sits like its not connecting, but i press enter or another key and it goes to that. then i have to push cntrl+] and it lets me get out. anyone seen anything like this before? im completely new to that telneting to the 113 auth port. it has netbios port open (139) but that auth thing sais its a unix computer, could that be samba or something?

[Tedob1]

since when do people use nmap to find out who somebody is. if you got the game off a file shareing network its probably a trojan.

lets have a look:

Trying 68.148.192 at ARIN

OrgName: Shaw Communications Inc.
OrgID: SHAWC
Address: Suite 800
Address: 630 - 3rd Ave. SW
City: Calgary
StateProv: AB
PostalCode: T2P-4L4
Country: CA

ReferralServer: rwhois://rs1so.cg.shawcable.net:4321

NetRange: 68.144.0.0 - 68.151.255.255
CIDR: 68.144.0.0/13
NetName: SHAW-COMM
NetHandle: NET-68-144-0-0-1
Parent: NET-68-0-0-0-0
NetType: Direct Allocation
NameServer: NS2SO.CG.SHAWCABLE.NET
NameServer: NS1SO.CG.SHAWCABLE.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-06-03
Updated: 2003-12-16

OrgAbuseHandle: SHAWA-ARIN
OrgAbuseName: SHAW ABUSE
OrgAbusePhone: +1-403-750-7420
OrgAbuseEmail: internet.abuse@sjrb.ca

OrgTechHandle: ZS178-ARIN
OrgTechName: Shaw High-Speed Internet
OrgTechPhone: +1-403-750-7428
OrgTechEmail: ipadmin@sjrb.ca


Yup! unless the makers are using shaw cable! nope thats the case:

Registrant:
ELECTRONIC ARTS (EAGAMES-DOM)
209 Redwood Shores Parkway
REDWOOD CITY, CA 94065
US

Domain Name: EAGAMES.COM

Administrative Contact, Technical Contact:
ELECTRONIC ARTS (S4684-OR) hostmaster2@ea.com
209 Redwood Shores Parkway
REDWOOD CITY, CA 94065
US
650 628 7618 fax: 650 628 1331

Record expires on 18-May-2006.
Record created on 18-May-1999.
Database last updated on 11-Jul-2004 01:42:35 EDT.

Domain servers in listed order:

SWDNS.EA.COM 159.153.197.89
SEDNS.EA.COM 159.153.229.89


add a ping to that:

Ping eagames.com (159.153.253.110) ...
1 Addr:159.153.253.110, RTT: 138ms, TTL: 53

looks like you fell for downloading someones trojan but your not showing port 69 open for tftp.

[deftones12]

i just bought the game tonight. i dont remember sayin i downloaded the game off kazaa or a peer to peer network or anything like that. its not the game for the 3rd time. not to be rude but i wanna emphasize i dont think its the game, at all. it just happend happen when i was installin it. i was wonderin if maybe it was a new worm goin around exploitin computers and openin remote shells and downloadin the worm like blaster and others did. if its the game then ok but i just doubt it is, if your right then im sorry. do the IP's of EA networks and 68.148.192.255 have any relation that you found? thanks for the input.

[Tedob1]

Sorry deftones! just that its common for downloaded software to be trojaned and you didnt say you purchased it. in a perfect world i suppose you shouldnt have to mention that but i dont know how many times ive seen it here. my appologies.

i see on your nmap scan you do not show there is a tftp server (port 69) operating on the remote. try a udp scan because its open and running. on the info i posted there's an abuse email address. report them!

what exactly does it say about the incident in sygates logs?

[deftones12]

just sais my computer was requesting a connection to that IP via tftp. im guessin it would be to download a worm or trojan, i dont know what else it would download. i was just wonderin if someone exploited my computer and caused it to try and download from that ip via tftp. is there any way i can check that to see if i was targeted and exploited? i dont know of any ways.

[SirDice]

Originally posted here by deftones12
no its nothin with battlefield. here are my results from nmap:

C:\>nmap -sT -vv -P0 68.148.192.255

Great! You're doing a TCP scan. TFTP is UDP based. So this won't tell you if "they" have a tftpd running or not.

tcp/113 is identd which could mean s/he has an IRC client running (with ident enabled).

Based on tftp traffic and a possible IRC client running I'd say that box has been backdoored.

deftones: If I were you I'd keep a sharp eye on your network traffic. It looks like you've been backdoored too.

[slarty]

deftones: you haven't made it clear to me, whether the firewall detected an *incoming* TFTP request from an external machine, or an *outgoing* TFTP request from the local machine.

I find it extremely unlikely that a game would use TFTP for updates, registration or anything else it might want to do.

If it's an incoming connection, it's probably just somebody with a worm on their machine, don't give them a hard time, it isn't their fault (much).

Some win32 worms have installed TFTP servers. They may try IPs at random looking for them later.

Slarty

[deftones12]

slarty i said my computer was tryin to use tftp to download somethin from that IP. Im protected to the known worms that use tftp to download worms and stuff, and i know its not the game,ive already said that. im clueless as to what it could be. i was just wonderin if it could be a new worm out that im unaware of and un-protected against. my firewall would block any incoming attacks like blaster and sasser did. Its only happend once, it hasnt happend since it did the first time the other night.