Starting yesterday evening, I’ve been noticing a LOT more attempted connections to :445 (tcp).<\/p>\n
Initially I was under the impression that the issue was isolated to the network I was on, although I’ve had confirmations from another non-related network (plus another host I have offnet) that :445 traffic is slightly higher than what is believed to be normal, but then again – what’s normal (without a good netflow collector and historical data, you probably have no idea)<\/p>\n
A quick scan of the DSL routers I have access to, shows 314 unique IPs originating such scans to multiple destinations (this is one quick run of “show ip cache flow\u00a0 | i\u00a0 01BD” on each of 3 routers). I’m seeing the same thing on a VPS host I have located in Virginia.<\/p>\n
Being a little more than curious, I’ve fired up nepenthes<\/a> and within 8 minutes I had 3 SMB exploit attempts, where the affected machine tries to download “myreceve.com”<\/a><\/p>\n These exploits were hitting vulnerabilities on :139 (tcp), however, and I don’t believe are related (also they’re from the same class B network)<\/p>\n 66.xx.xx.xx -> 66.xx.xx.xx ftp:\/\/1:1@66.xx.xx.xx:9015\/myreceve.com<\/p><\/blockquote>\n Connecting to this host in particular gives a warm welcome:<\/p>\n nc 66.xx.xx.xx 9015 Back to what prompted my initial interest – :445, I can’t seem to figure out whats really going on – packet captures indicate more than a normal SYN scan, but without some additional review, I have no idea why so many requests from so many hosts identical to this:<\/p>\n NetBIOS Session Service I’ve only slightly glanced over other SMB sessions, and this seems like a normal request… I’m a little baffled as to why every pcap I have from an apparently compromised host uses process id “604”, but otherwise each request appears valid.<\/p>\n So…. it’s probably nothing (usually is), but it definitely piqued my interest for a time today. Happy Thanksgiving!<\/p>\n Update at 22:25<\/strong><\/p>\n At the advice of others, I’m installing dionaea<\/a>, which apparently has better SMB support, to see if I can determine exactly what these connections are. I’ll post an update when I’m finished.<\/p>\n Update 06:00 11\/25\/2009<\/strong><\/p>\n I’ve got dionea running and collecting bitstreams. Same basic signature (process id: 604), but now with a _lot_ more information in the captures (as dionaea is a little more fluent in the SMB protocol). Tonight: Cooking and reading pcaps.<\/p>\n","protected":false},"excerpt":{"rendered":" Starting yesterday evening, I’ve been noticing a LOT more attempted connections to :445 (tcp). Initially I was under the impression that the issue was isolated to the network I was on, although I’ve had confirmations from another non-related network (plus another host I have offnet) that :445 traffic is slightly higher than what is believed … Continue reading Chasing Ghosts this afternoon…<\/span>
\n220 fuckFtpd 0wns j0<\/p><\/blockquote>\n
\nMessage Type: Session message
\nLength: 47
\nSMB (Server Message Block Protocol)
\nSMB Header
\nServer Component: SMB
\nSMB Command: Negotiate Protocol (0x72)
\nError Class: Success (0x00)
\nReserved: 00
\nError Code: No Error
\nFlags: 0x00
\nFlags2: 0x0000
\nProcess ID High: 0
\nSignature: 0000000000000000
\nReserved: 0000
\nTree ID: 0
\nProcess ID: 604
\nUser ID: 0
\nMultiplex ID: 0
\nNegotiate Protocol Request (0x72)
\nWord Count (WCT): 0
\nByte Count (BCC): 12
\nRequested Dialects
\nDialect: NT LM 0.12
\nBuffer Format: Dialect (2)
\nName: NT LM 0.12<\/p><\/blockquote>\n