Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Source port 445,80

from [scott] Network Security [Permanent Link]
Subject: Re: Source port 445,80
Date: Fri, 07 Sep 2007 03:24:57 -0400 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would suggest trying to isolate the box that is sending these
scans.It has characteristics of a worm,obviously.

The switch or router that is seeing this traffic would be where I
would start looking.

If you can find what part of the network it originates from,maybe you
can find the box that is doing the scans.

Just a thought,
redhowlingwolves
Wong Yu Liang wrote:

Thanks valdis I suspected so. Possibly a worm propagation and the
ips detected the *return* traffic. But yet the alerts from my ips
is very strange. Some alerts

172.16.1.254:80 -> 172.17.17.103:1434 MSSQL buffer overflow
detected 172.16.1.254:80 -> 172.17.17.103:1434 MSSQL buffer
overflow detected 172.16.1.254:80 -> 172.17.17.103:1434 MSSQL
buffer overflow detected 172.16.1.254:80 -> 172.17.17.103:1434
MSSQL buffer overflow detected 172.16.1.254:80 ->
172.17.17.103:1434 MSSQL buffer overflow detected 172.16.1.254:80
-> 172.17.17.103:1434 MSSQL buffer overflow detected
172.16.1.254:80 -> 172.17.17.103:1434 MSSQL buffer overflow
detected 172.16.1.254:80 -> 172.17.17.103:1434 MSSQL buffer
overflow detected 172.16.1.254:80 -> 172.17.17.16:1434 MSSQL buffer
overflow detected 172.16.1.254:80 -> 172.17.17.16:1434 MSSQL buffer
overflow detected 172.16.1.254:80 -> 172.17.17.16:1434 MSSQL buffer
overflow detected 172.16.1.254:80 -> 172.17.17.16:1434 MSSQL buffer
overflow detected 172.16.1.254:80 -> 172.17.17.16:1434 MSSQL buffer
overflow detected 172.16.1.254:80 -> 172.17.17.16:1434 MSSQL buffer
overflow detected

And the list goes on to different destination IP addres



-----Original Message----- From: Valdis.Kletnieks@vt.edu
[mailto:Valdis.Kletnieks@vt.edu] Sent: Thursday, September 06, 2007
5:36 AM To: Wong Yu Liang Cc: incidents@securityfocus.com Subject:
Re: Source port 445,80

On Wed, 05 Sep 2007 18:47:42 +0800, Wong Yu Liang said:


Lately I've been getting a lot of awkward alerts with source port


445.

A few different source IP is connecting to one single IP from the
source port 445 , to random destination high ports.


Is the destination IP address one that could conceivably be calling
the *source* IPs on those ports, and you're looking at the
*return* traffic?

If so, it could be that the destination IP is being tricked into
visiting malicious websites and the like, and what you're seeing is
the website sending more malware down the now-open connection....

(Just asking, because for a *long* time, we had to keep a canned
response form for "ntp-1.vt.edu is hacking my ports from its port
123" complaints. Of course, the *real* story was they enabled NTP,
sent us a packet - and then their firewall software triggered on
the reply).

-------------------------------------------------------------------------
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper
It's as simple as placing additional SQL commands into a Web Form
input box giving hackers complete access to all your backend
systems! Firewalls and IDS will not stop such attacks because SQL
Injections are NOT seen as intruders. Download this *FREE* white
paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E

--------------------------------------------------------------------------




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG4PzIsrt057ENXO4RAtQvAJ40Y/d8C3hqNvcp4mG5R0vHRzORSwCfdiYe
GURflq2IDdRUFVd5i4L+ONE=
=D0Ju
-----END PGP SIGNATURE-----


-------------------------------------------------------------------------
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper 
It's as simple as placing additional SQL commands into a Web Form input box 
giving hackers complete access to all your backend systems! Firewalls and IDS 
will not stop such attacks because SQL Injections are NOT seen as intruders. 
Download this *FREE* white paper from SPI Dynamics for a complete guide to 
protection! 

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Source port 445,80, Valdis . Kletnieks
Next by Date:  Interesting mail sender, Szalay Attila
Previous by Thread:  Re: Source port 445,80, Valdis . Kletnieks
Next by Thread:  Interesting mail sender, Szalay Attila
Indexes:  [Date] [Thread] [Top] [All Lists]