Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > incidents > 02 > 110155.html (Request Expert securityfocus.com Support)

Re: Help - a possible bot

From: Ryan Yagatich <ryany(at)pantek.com>
Date: Tue Nov 26 2002 - 09:52:36 EST


Hi,

        You are seeing standard internet traffic originating from your LAN/system. In fact, a couple years ago I remember seeing posts similar to this which talked about the same concept... I don't remember what list it was on, nor when it occured, but i do remember that it talked about WINS.

Basically, the flow looks like this:

  1. network online
  2. user types in www.pantek.com in their browser.
  3. DNS responds with pantek.com as 64.208.104.215
  4. windows system reverse maps address via NetBIOS/WINS/DNS
    • here is where you are seeing the traffic
  5. windows system connects to 64.208.104.215
  6. browser displays the happy page

you mentioned that its only on hosts that do not resolve. This is because there was no reverse mapping for the targetted address via DNS and thus, the workstation attempted to use alternate methods to resolve the host.

>Is this behavior similar to any known bot infection?
well, a couple more years ago (cant remember when/where/what list) i also remember seeing a post about a particular .vbs worm that was working around doing things like this, that worm however, was not very popular and didn't really get very far.

Of course, i could be completely wrong, but I could be right. To verify any of this as being accurate or incorrect, download ethereal (www.ethereal.org) and install it on your system in full capture mode. Then do the following:

  1. disconnect from the internet
    • so we can get a 'clean slate'
  2. start the capture
    • you should only see leftover connection attempts from previous connection, and some netbios broadcasts.
  3. connect to the internet
  4. do nothing for a little while to see if any traffic occurs
    • you shouldn't really see anything here unless you have things that connect to get system updates (like windowsupdate etc.)
  5. browse the web
  6. disconnect from the internet
  7. wait a few minutes
    • this will make everything cease except for the occasional broadcast.
  8. stop the capture

with the contents of the capture you should see that all port 137 connection attempts come immediately after an init. sequence of either a web browser or other update software. If however, it is a bot or some trojan, you should see far more traffic than that of what you are generating, and in this case, clear your zone alarm settings and watch which application is trying to make the requests.

Thanks,
Ryan Yagatich <support@pantek.com>

Do you need help?X

        Pantek, Incorporated
 (877) LINUX-FIX - (440) 519-1802
  http://www.pantek.com/library/


E4 8B F0 68 9E 4F 34 9D 23 7D 62 1C
EA AD 45 E3 C3 13 A9 9D BB 8B A1 6F

 A formal parsing algorithm should
 not always be used. -- D. Gries

On Fri, 22 Nov 2002, Moshe Aelion wrote:

>HC
>
>Referring to parts of your message:


This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue Nov 26 18:23:04 2002

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:52 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library