Fwd: [Full-Disclosure] TCP Port 42 port scans? What the heck over...

I'm just curious if its moved past the scanning phase and someone is actively trying to exploit a box. A quick look at any traffic would answer this. image On Thu, 16 Dec 2004 15:18:47 -0500, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > On Tue, 14 Dec 2004 16:33:59 CST, wastedimage said: > >

Re: [Full-Disclosure] TCP Port 42 port scans? What the heck over...

The problem with all your reasons is that they have an underlying assumption that people have enough clue to realize things like "they don't need it", or "they don't need more than one or two". I'm however convinced that for each network admin out there who understands there's times to run WINS

Re: [Full-Disclosure] TCP Port 42 port scans? What the heck over...

[SNIP] > > And remember that those sheep can't say "firewall".. ;) > Even those that can, don't always understand what makes it tick. Thanks, Ron DuFresne -- "Sometimes you get the blues because your baby leaves you. Sometimes you get'em 'cause she comes back." --B.B. King *

Re: [Full-Disclosure] TCP Port 42 port scans? What the heck over...

[SNIP] > > 3. I can't think of a good reason to open WINS through a firewall. > Generally one would expect places with multiple sites to use site to > site connections, IPSec tunnels, and end user VPN tunnels, all of > which would negate the need to open it through the firewall. > I know

Re: [Full-Disclosure] TCP Port 42 port scans? What the heck over...

On Tue, 14 Dec 2004 16:33:59 CST, wastedimage said: > can anyone provide me with a traffic sample of this? I would really > like to see if this is the actual exploit or just a script kiddy > trying his little heart out. What's this '*THE* actual exploit' stuff? These things are rarely unique ;)

RE: [Full-Disclosure] TCP Port 42 port scans? What the heck over...

c: Full-Disclosure (E-mail) > Subject: Re: [Full-Disclosure] TCP Port 42 port scans? What > the heck over... > > * James Lay: > > > Here they be. ODD. Anyone else seeing this? > > Probably yes. 8-) 42/TCP is used by Microsoft's WINS > replication, and this se

Re: [Full-Disclosure] TCP Port 42 port scans? What the heck over...

can anyone provide me with a traffic sample of this? I would really like to see if this is the actual exploit or just a script kiddy trying his little heart out. image On Mon, 13 Dec 2004 21:53:41 +0100, Florian Weimer <[EMAIL PROTECTED]> wrote: > * James Lay: > > > Here they be. ODD. Anyone

Re: [Full-Disclosure] TCP Port 42 port scans? What the heck over...

On 12/13/2004 9:53 PM +0200, Florian Weimer wrote: Probably yes. 8-) 42/TCP is used by Microsoft's WINS replication, and this service has got a security hole for which Microsoft has yet to release a patch. http://www.microsoft.com/technet/security/bulletin/MS04-045.mspx Regards, Niek __

Re: [Full-Disclosure] TCP Port 42 port scans? What the heck over...

Theres a patch out today... Microsoft Security Bulletin MS04-045: Vulnerability in WINS Could Allow Remote Code Execution (870763) Bulletin URL: Version Number: 1.0 Issued Date: Tuesday, December 14, 2004 Impact of Vulnerability: Re

Re: [Full-Disclosure] TCP Port 42 port scans? What the heck over...

ste en sécurité réseau - Original Message - From: "James Lay" <[EMAIL PROTECTED]> To: "Full-Disclosure (E-mail)" <[EMAIL PROTECTED]> Sent: Monday, December 13, 2004 8:46 AM Subject: [Full-Disclosure] TCP Port 42 port scans? What the heck over... > Here t

RE: [Full-Disclosure] TCP Port 42 port scans? What the heck over...

hmm well, pdx.edu has a computer scanning the world, hit hundreds of other hosts http://www.mynetwatchman.com/LID.asp?ip=131.252.116.141 http://www.dshield.org/ipinfo.php?ip=131.252.116.141 maybe you call them and ask? ___ Full-Disclosure - We beli

RE: [Full-Disclosure] TCP Port 42 port scans? What the heck over ...

Full-Disclosure (E-mail) > Subject: [Full-Disclosure] TCP Port 42 port scans? What the > heck over... > > Here they be. ODD. Anyone else seeing this? > > Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10

Re: [Full-Disclosure] TCP Port 42 port scans? What the heck over...

* James Lay: > Here they be. ODD. Anyone else seeing this? Probably yes. 8-) 42/TCP is used by Microsoft's WINS replication, and this service has got a security hole for which Microsoft has yet to release a patch. ___ Full-Disclosure - We believe in i

RE: [Full-Disclosure] TCP Port 42 port scans? What the heck over...

TECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of James Lay > Sent: Monday, December 13, 2004 5:47 AM > To: Full-Disclosure (E-mail) > Subject: [Full-Disclosure] TCP Port 42 port scans? What the > heck over... > > Here they be. ODD. Anyone else seeing this? > >

Re: [Full-Disclosure] TCP Port 42 port scans? What the heck over...

On Mon, 13 Dec 2004 06:46:38 -0700, James Lay <[EMAIL PROTECTED]> wrote: > Here they be. ODD. http://support.microsoft.com/kb/890710 yay google. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] TCP Port 42 port scans? What the heck over...

http://isc.sans.org/port_details.php?port=42&repax=1&tarax=2&srcax=2&percent=N&days=70&Redraw= Shows a fairly large spike over the weekend. 42 is used for WINS (MS's netbios name server) replication, and recently the Immunitysec folks found an exploitable bug in the WINS service. Still, given how

Re: [Full-Disclosure] TCP Port 42 port scans? What the heck over...

riginal Message - From: "James Lay" <[EMAIL PROTECTED]> To: "Full-Disclosure (E-mail)" <[EMAIL PROTECTED]> Sent: Monday, December 13, 2004 8:46 AM Subject: [Full-Disclosure] TCP Port 42 port scans? What the heck over... > Here they be. ODD. Anyone else se

RE: [Full-Disclosure] TCP Port 42 port scans? What the heck over...

: Full-Disclosure (E-mail) Subject: [Full-Disclosure] TCP Port 42 port scans? What the heck over... Here they be. ODD. Anyone else seeing this? Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.1 LEN=40 TOS=0x00 PREC=0x00 TTL

Re: [Full-Disclosure] TCP Port 42 port scans? What the heck over...

Port 42 is WINS.EXE - there are at least 3 exploits circulating for it that I know of... For more information, check the advisory on our website which has detailed technical information. Currently, the only real solution is to disable the service. (www.immunitysec.com) thanks, Dave Aitel Immuni

Re: [Full-Disclosure] TCP Port 42 port scans? What the heck over...

Port 42 is the WINS port, and if im not mistaken last week or the week before that an exploit was released for it, thats probably your culprit for the increased port 42 traffic levels. http://support.microsoft.com/default.aspx/kb/890710 On Monday 13 December 2004 07:46, James Lay wrote: > Her

Re: [Full-Disclosure] TCP Port 42 port scans? What the heck over...

Port 42 is WINS -- there is a new exploit for WINS in the wild, so I would imagine people are scanning for it. James Lay wrote: Here they be. ODD. Anyone else seeing this? Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19

[Full-Disclosure] TCP Port 42 port scans? What the heck over...

Here they be. ODD. Anyone else seeing this? Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.1 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 gat