SANS ISC: XP SP2 Release to manufacturing, and Continued Scanning Trends

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

XP SP2 Release to manufacturing, and Continued Scanning Trends


SSH Scans continue searching out machines with default and weak password schemas. Below is a url to a post demonstrating what can happen once these brute force attempts are successful.

http://www.mail-archive.com/debian-user@lists.debian.org/msg110879.html




Microsoft XP SP2 released to Manufacturing.

Microsoft released XP SP2 to Manufacturing today, paving the way to public release at the end of the month. This Service Pack has been available in beta form for a good while already, with mixed reviews. While there are many security fixes in this update, one of the main improvements is that the Windows Personal Firewall will be turned on by default. This does not change the fact that the firewall assumes that if you have an open port, you expect to have that port open on the firewall :-(

http://news.com.com/After+delays%2C+Windows+security+update+ready+to+go/2100-1016_3-5300317.html?part=rss&tag=5300317&subj=news.1016.20

According to Microsofts web site, XP SP2 is scheduled to be released this month:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx
<quote>
Aug 2, 2004: Windows XP SP 2 Release Candidate 2 (RC2) Removed from the Web

This signifies the end of the pre-release distribution program in
anticipation of the final release of SP2. Windows XP SP2 remains on
schedule for release this month.

We recommend that you not install the RC2 version of SP2 on computers that
are running the latest security updates. Instead, install the final version
of Windows XP SP2 when it becomes available. Installing the RC2 version of
SP2 on computers that already have the latest security updates installed
can cause incompatibilities. The final release of SP2 will be compatible
with all previously installed security updates.
</quote>



SSH Scans, Microsoft Ports, and Botnet Scans in continuous mode


There have been spikes in port 2745 traffic over the last couple of days. This is a common backdoor from bagle.E and its variants. This increase may be due to continued infection, or bots scanning for the backdoor left by the various malware. Again, quoting the great Tom Liston... 2004 has been a malware festival!


http://isc.sans.org/port_report_graph.php?port=2745




I also continue to see botnet scans for M$ ports, as well as the usual bagle, mydoom, sasser, dabber and other ports. Examples below:

66.136.185.193 > FOO.FOO.104

21:32:54.748297 66.136.185.193.3041 > FOO.FOO.104.135: S 1874993687:1874993687(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

21:32:54.775112 66.136.185.193.3042 > FOO.FOO.104.135: S 1875076752:1875076752(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

21:32:54.840363 66.136.185.193.3043 > FOO.FOO.104.1025: S 1875133493:1875133493(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

21:32:54.871901 66.136.185.193.3045 > FOO.FOO.104.1025: S 1875169154:1875169154(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

21:32:55.155331 66.136.185.193.3048 > FOO.FOO.104.445: S 1875355067:1875355067(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

21:32:55.206019 66.136.185.193.3065 > FOO.FOO.104.6129: S 1875668180:1875668180(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

21:32:55.210355 66.136.185.193.3066 > FOO.FOO.104.139: S 1875721323:1875721323(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

21:32:55.216125 66.136.185.193.3042 > FOO.FOO.104.135: S 1875076752:1875076752(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

21:32:55.221793 66.136.185.193.3041 > FOO.FOO.104.135: S 1874993687:1874993687(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

21:32:55.445722 66.136.185.193.3043 > FOO.FOO.104.1025: S 1875133493:1875133493(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

21:32:55.448958 66.136.185.193.3045 > FOO.FOO.104.1025: S 1875169154:1875169154(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

21:32:55.759457 66.136.185.193.3065 > FOO.FOO.104.6129: S 1875668180:1875668180(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

21:32:55.763985 66.136.185.193.3066 > FOO.FOO.104.139: S 1875721323:1875721323(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

21:32:55.769704 66.136.185.193.3042 > FOO.FOO.104.135: S 1875076752:1875076752(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

21:32:55.775256 66.136.185.193.3048 > FOO.FOO.104.445: S 1875355067:1875355067(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

21:32:55.930484 66.136.185.193.3041 > FOO.FOO.104.135: S 1874993687:1874993687(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

21:32:56.110472 66.136.185.193.3043 > FOO.FOO.104.1025: S 1875133493:1875133493(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

21:32:56.192764 66.136.185.193.3066 > FOO.FOO.104.139: S 1875721323:1875721323(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

21:32:56.200454 66.136.185.193.3065 > FOO.FOO.104.6129: S 1875668180:1875668180(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

21:32:57.836363 66.136.185.193.3046 > FOO.FOO.104.445: S 1875232866:1875232866(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

21:32:58.055892 66.136.185.193.3047 > FOO.FOO.104.445: S 1875311927:1875311927(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

21:32:58.059089 66.136.185.193.3056 > FOO.FOO.104.3127: S 1875590101:1875590101(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

Learn to catch hackers and detect and analyze malicious traffic

Sans New England is coming to Boston Monday September 13, 2004 - Saturday September 18, 2004. I will be teaching the Intrusion Detection Class, and from what I hear, class sizes will small. This is a great opportunity to get handson training in a more comfortable environment. Follow the link below for a detailed description:

http://www.sans.org/newengland04/description.php?tid=15
Mike Poor [ mike <at> intelguardians.com ]