Port 2000 spike
There is a significant increase in port 2000 activity. Given the number
of targets, this appears to general sweeping. At this point, we don't
have a good feeling for what is causing this increase. If you have some
packet captures, send them along.
New IIS PCT exploit in the wild?
We received a report that a possibly new IIS PCT exploit (for MS04-011)
is being used in the wild. Exploit code for this vulnerability has been
known to exist as early as April 2004, so this NOT a new vulnerability.
This packet capture appears to have 25 extra bytes beginning at offset
0x0E0 below. At this time, we have not been able to determine whether
this is completely new, but it should be identified by most IDS
signatures given the obvious strings "THCOWNZIIS!" and "cmd.exe", which
were also in the original exploit code.
Following the bouncing MS patches
While Tom Liston is busy working on the next installation of "bouncing
malware", here is an interesting story about misbehaving software.
Several weeks ago, a concerned reader submitted an interesting case to
ISC suspecting a new virus or system compromise. Harpal Parmar reported
that a Windows 2000 server running SP4 and fully patched was sending
unsolicited packets outbound to specific addresses in the IP range:
128.x.x.x -- 136.x.x.x.
The traffic was sending normal TCP packets to random destination hosts
in the above range on TCP port 139 every 10 minutes. Fortunately,
Harpal had outbound filtering in place so the packets never made it to
their destination. Upon not receiving a response, the server would
retransmit the TCP segments using the normal backoff timing of TCP (3,
6, and 12 second intervals).
ISC handlers reviewed a packet capture provided by Harpal and found no
evidence of malware or system compromise. So after utilizing several
different virus scanners and discovering no malware, Harpal looked for
different alternatives as the source cause. The first step was to
rebuild the server offline and monitor for outbound traffic. After
applying a specific patch, MS04-011 (KB835732), the activity started
again. Indeed, this patch was confirmed to be the source of the
problem after being investigated by an engineer at Microsoft. Another
patch was provided by Microsoft that corrected the problem.
Apparently, the operating system was looking for the SYSVOL$ folder on a
domain controller and a bug was causing the IP address to be obtained
from random memory addresses.
Specific symptoms experienced:
o Windows 2000 SP4
o Dual processor machine (x86)
o IIS installed/enabled
o File and printer sharing disabled
o Outbound connections to TCP port 139 every 10 minutes in IP range: 128.x.x.x -- 136.x.x.x
o Problem caused by application of MS04-011 (KB835732)
o Problem fixed by workaround or patch available at:
Follow-up on Fake RedHat Advisory
The k-otik folks have an analysis of the bad things that might happen
if you follow the instructions in the fake RedHat advisory that was
reported in yesterday's diary:
Follow-up on how to identify "normal" processes on Windows
A couple of additional URLs that may be useful when trying to to
identify good/bad processes in Windows. Please note that these sites
are hosted by companies with commercial products. This is not an
endorsement of any commercial products by SANS or the Internet Storm
Center (isn't it fun to be politically correct?).
Oct 25th 2004
Oct 25th 2004
1 decade ago