[Wylug-help] Firewall Reports
Jason Lander
jason at env.leeds.ac.uk
Thu Apr 15 11:38:46 BST 2004
Marc,
> I am getting email reports from my home firewall telling me that various
> ports are being scanned from a user on the same subnet as me. The ports
> being scanned (in order or report) are :-
>
> 139, 6129, 1025, 445, 3127, 6129, 139, 135, 139
> By the duplication of the ports, I'd assume this is either viral
> activity, or a script being run. Does anybody know of any script-kiddie
> tools or virii that would produce this scan? I have reported the user
> to his ISP on each occasion that the attacks take place, but even my
> read receipts don't seem to come back.
Possibly a mixture of tools. Given the ports:
135,139,445
- Windows SMB filesharing. This is either
* an attempted Windows RPC buffer-overflow exploit
* a bruteforce username / password
6129 - Dameware remote admin tool. Known buffer overflow.
1025 - Common port for MS Messenger. Used in sending Instant
Messenger SPAM (known by some as SPIM). Probably UDP not TCP.
3127 - Common port for web proxies. Someone looking for an open
proxy that can be used to send spam.
There is a worm called a Agobot or Phatbot that uses a set of common
windows security holes, including Dameware, weak passwords and the MS RPC
to propogate. An Agobot can also be instructed to do other things
including sending spam.
- Jason
More information about the Wylug-help
mailing list