Abnormal Port activity (Inbound)

Printable View

August 19th, 2003, 01:42 PM
Und3ertak3r

Abnormal Port activity (Inbound)

Hi Guy's

I think this question is more suited to The M$ security, but could be Virus related..

The fire wall here has been blocking ICMP packets at a higher level than normal.. currently 2 per minute(average), normal 1-5 per hour.. currently emminating from inside my ISP's assigned Block's 144.xxx & 203.xxx... This may have nothing to do with the rest of the activity

Thes pings are associated to but not all coinciding with Connection Attempts to Port 2969..
These are mainly from with in Blocks assigned to my ISP BUT.. NOT ALL..
The Source Ports appear to be 1025, 1214, 1217, 3361, 3549,3417, 3209,4144, 18497, 18498

These are consistent with recieved UDP Packets to the same port and from the same ports
The source ports seem to be all over the place, just had smoe new IP's bounce in..24.232.xx.xx & 65.251.xx.xx

Starting to see a pattern.. Approx 3 attempts ..ie 3 udp packets, 3 TCp connect attempts on 2969 from each IP before moveing on..

Thoughts? anyone else seing this traffic..

Had seen Port 80 connection attempts (welchia worm) earlier this evening.. none in the past hour.... time now 12:50UTC
Cheers
August 19th, 2003, 02:20 PM
nebulus200

ICMP: Nachi worm, AKA Welchia:

http://isc.sans.org/diary.html?date=2003-08-18

The ICMP could also be the result of someone doing a port scan, depending on how you have your network/servers setup (they could be sending out an ICMP port unreachable, type 3, code 3. What ICMP codes are you seeing? According to SANS, the ICMP type with Nachi is 8,0.

According to snort.org, the port 2969 ( http://www.snort.org/ports.html?port=2969 )
is essp. I really don't know what this is...did find this (don't have any idea if this is it or not):

http://www.cs.ccu.edu.tw/~pahsiung/p...essp-ics02.pdf

From Symantec (http://securityresponse.symantec.com....welchia.worm.)

Quote:

# Creates a remote shell on the vulnerable host that will connect back to the attacking computer on a random TCP port between 666 and 765 to receive instructions.

# Launches the TFTP server on the attacking machine, instructs the victim machine to connect and download Dllhost.exe and Svchost.exe from the attacking machine. If the file, %System%\dllcache\tftpd.exe exists, the worm may not download svchost.exe.

Which doesn't really match the pattern either...

As to why you are seeing it, you got me...maybe some more detailed packet captures would be helpful (make sure to sanitize).

/nebulus
August 19th, 2003, 04:52 PM
i2c

yep im getting a massive amount of icmp packets, 500+ per hr at least i thinks, mostly from 213.xxx.xxx.xxx

im pretty glad im not on a xp/2000 box really, there suffering a bit at the moment!

i2c