Network Security: Detailed info on RE: Source port 445,80

Subject:	RE: Source port 445,80
Date:	Thu, 6 Sep 2007 12:17:47 +0800

Thanks valdis 
 I suspected so. Possibly a worm propagation and the ips detected the
*return* traffic. But yet the alerts from my ips is very strange. Some
alerts 

172.16.1.254:80 -> 172.17.17.103:1434 MSSQL buffer overflow detected 
172.16.1.254:80 -> 172.17.17.103:1434 MSSQL buffer overflow detected
172.16.1.254:80 -> 172.17.17.103:1434 MSSQL buffer overflow detected
172.16.1.254:80 -> 172.17.17.103:1434 MSSQL buffer overflow detected
172.16.1.254:80 -> 172.17.17.103:1434 MSSQL buffer overflow detected
172.16.1.254:80 -> 172.17.17.103:1434 MSSQL buffer overflow detected
172.16.1.254:80 -> 172.17.17.103:1434 MSSQL buffer overflow detected
172.16.1.254:80 -> 172.17.17.103:1434 MSSQL buffer overflow detected
172.16.1.254:80 -> 172.17.17.16:1434 MSSQL buffer overflow detected
172.16.1.254:80 -> 172.17.17.16:1434 MSSQL buffer overflow detected
172.16.1.254:80 -> 172.17.17.16:1434 MSSQL buffer overflow detected
172.16.1.254:80 -> 172.17.17.16:1434 MSSQL buffer overflow detected
172.16.1.254:80 -> 172.17.17.16:1434 MSSQL buffer overflow detected
172.16.1.254:80 -> 172.17.17.16:1434 MSSQL buffer overflow detected

And the list goes on to different destination IP addres



-----Original Message-----
From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] 
Sent: Thursday, September 06, 2007 5:36 AM
To: Wong Yu Liang
Cc: incidents@securityfocus.com
Subject: Re: Source port 445,80

On Wed, 05 Sep 2007 18:47:42 +0800, Wong Yu Liang said:

  Lately I've been getting a lot of awkward alerts with source port

445.

A few different source IP is connecting to one single IP
from the source port 445 , to random destination high ports.


Is the destination IP address one that could conceivably be calling
the *source* IPs on those ports, and you're looking at the *return*
traffic?

If so, it could be that the destination IP is being tricked into
visiting
malicious websites and the like, and what you're seeing is the website
sending
more malware down the now-open connection....

(Just asking, because for a *long* time, we had to keep a canned
response
form for "ntp-1.vt.edu is hacking my ports from its port 123"
complaints.
Of course, the *real* story was they enabled NTP, sent us a packet - and
then
their firewall software triggered on the reply).

-------------------------------------------------------------------------
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper 
It's as simple as placing additional SQL commands into a Web Form input box 
giving hackers complete access to all your backend systems! Firewalls and IDS 
will not stop such attacks because SQL Injections are NOT seen as intruders. 
Download this *FREE* white paper from SPI Dynamics for a complete guide to 
protection! 

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E
--------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
Source port 445,80, Wong Yu Liang Re: Source port 445,80, Valdis . Kletnieks RE: Source port 445,80, Wong Yu Liang <= Re: Source port 445,80, Valdis . Kletnieks RE: Source port 445,80, Wong Yu Liang Re: Source port 445,80, Valdis . Kletnieks Re: Source port 445,80, scott

Previous by Date:	Re: Source port 445,80, Valdis . Kletnieks
Next by Date:	RE: Source port 445,80, Wong Yu Liang
Previous by Thread:	Re: Source port 445,80, Valdis . Kletnieks
Next by Thread:	Re: Source port 445,80, Valdis . Kletnieks
Indexes:	[Date] [Thread] [Top] [All Lists]