Servidor fantasma dentro de ethernet

[dbianx]

El caso es que yo mismo me e quedado muy sorprendido ,
el caso es este , Tengo un windows xp y como cortafuegos un kerio bien actualizado ,
aparece una ventana alertandome de que una direccion ip 192.168.1.35 quiere conectar a mis archivos compartidos
(esta ip esta dentro del rango reservado a ip`s privadas) ,
tambien decir que tengo un router de telefonica q
no redirecciona hacia mi etherner ,
en modo multipuesto claro , y aunq si redireccionase siempre serian conexiones con ip`s publicas las que entrasen.
tampoco tengo mas ordenadores conectados en el router osea que tengo una ethernel formada solo por dos ip`s 192.168.1.1
(ip privada del router) y 192.168.1.33 la de mi ordenador , y no ay fisicamente mas ordenadores conectados en red.
AH! no es una red wireless,bueno yo pense al kerio s le a ido la pinza ....
pero mi sorpresa es al hacerle un nmap -sS que me aparece , un xp con un monton de servicios activos , ahora no tengo delante el log
puesto que escrinbo esto desde el trabajo , pero de los que yo considere "interesantes para averiguar algo sobre este servidor fantasma"
ftp , smtp , http , daytime , ldap y bastantes mas aunq solo de momento mire estos
(asta que esta tarde llegue a casa y me ponga a investigar mas) pos bien , al telnetear al daytime me da una hora y fecha iguales salvo en
que esta u minuto adelantada a la hora de mi sistema (lo que me hace descartar que mi pc estuviese usando otra interfaz de red ademas de la que ya le asigne para la ethernet,
cosa por otro lado muy improbable puesto que conozco mi ordenador y previamente hice un ipconfig /all para comprobar todas las interfaces que estaba usando mi makina)el ftp y el smtp funcionan aunq no dan ningun dato relevante
nada mas que cosas por defecto en cualquier servidor de microsoft y el http no devuelve ninguna pagina .........La verdad seguro que os parecera muy raro
o incluso q me lo estoy inventando pero mas asombrado me e quedado yo .... tengo un servidor fantasma dentro de mi ethernet jejejej , no se haber si alguno s le ocurre algo
aunq nada mas que e tenido 15 minutos mientras comia antes de volver al trabajo para investigar esta noche promete guerra ,pero no se me quitaba de la cabeza y e decidido postear aqui ..
para ir adelantando posibles teorias , quizas algun tipo de spoofing o envenenaniemto de dns o arp ? no se estoy confuso , no creen que es para mosquearse ? muchas gracias a todos por su tiempo !!!!
bye

[juanma.m.d]

mmm kiza sea culpa del router? q tenga algun servicio o algo?prueba a apagarlo a ver si sigue (a no ser q no tengas switch)
PD - Me he inventado un poco la respuesta :S

[dbianx]

Gracias por responder apesar de que se escapa de toda logica , al volver a casa me e encontrado con que en esa ip ya no habia nada , lo del router lo descarto principalmente por que al telenetear los ftp y el smtp respondian vamos que habia un servicio de verdad funcionando detras de esa ip (eso fue lo que mas me mosqueo puesto que otras veces ya me habia pasado algo parecido con el router pero en realidad solo tenia el puerto listenning pero ninguna aplicacion funcionandop detars) pero esta vez si , y respondia perfectamente a todos mis peticiones dentro del protocolo (aunq del ftp no puede logearme claro no funcionaba ningun login ni pass), tanto el ftp como el smtp , pena no haber concluido un transaccion entera smtp a alguna direccion mia de correo haber desde que ip salia a mi servidor entrante de correo .. ..... pero todo fue muy repentino bueno como fantasma que vino se fue .... no se que coño habra sido prefiero pensar que algun tipo de fallo "extraño" en alguno de los dispositivos que conforman mi pequeña red , buiinnno gracias tods por su tiempo aunq no posteo mucho soy habitual lector de este foro agurrr .

[NeoGenessis]

Hola que tal,
No estoy seguro de haberte entendido:
- En tu casa tienes una intranet con ips privadas, pero un solo pc 192.168.1.33
- has detectado el ataque de un pc 192.168.1.35
- en el curro el escaneo de esa ip te muestra un monton de servicios

Es eso?
si es eso decirte que:
-Que te ponga una ip de red privada no implica que venga de tu red privada. Ejemplo abre la web www.whatismyip.com y veras tu ip privada.
-si en el curro has hecho el escaneo, no sera un pc del curro con ip privada?

Es decir, yo no creo que sea el mismo pc. De hecho apuesto a que el que te ataco (o intento conectarse, que lo otro esta mu feo sin permiso) era un tio con intranet privada, mientras que en tu curro escaneaste a una maquina con ip privada de la intranet corporativa:
Espero que no te despidan por ello, tu di que ha sido el firewall que para evitar ataques ha atacado primero.

[dbianx]

No hubiese rescatado este post de hace un año sino creeyese q es interesante ..... bien recorde el post que publique hace 1 año casi , por q tengo el mismo caso(ufff debe llavar comprmetido u año aunq podria ser gente difwerente aprovechando el mismo bug).... ya e dado con lo q es .... alguien consiguio abrir una vpn dentro de mi red local , jpasteo los registros de nessus y nmap , para q veais q no es un serviodr residual ni una fallo del router ni anda parecido , bueno aora mismo sigo investigando ya e revisaod los pc q teno dentro con linux y win poara saber si han sido compromedos , ademas tengo la ip publica de esa misma makina zombien q es l q creeo q es dado lo desprotegida q esta ..............lo siguiente que hare sera con le oruter a muerte asta en contrar el bug y si se algo lo pasteo .......... por sia alguien le interesa ......
decir tambien q dspus d atacxarla con diversos exploit entre ellos el dcom cambio de ip y quien sabe q mas j....

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-05-28 15:50 EDT
Interesting ports on 192.168.1.13:
(The 1655 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:11:95:B8:CE:0B (Alpha Networks)
Device type: general purpose
Running: Microsoft Windows 2003/.NET
OS details: Microsoft Windows Server 200


pportatil@portatil:/$ nc -vv 192.168.1.13 17
192.168.1.13: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.1.13] 17 (qotd) open
"La prosperidad hace amistades, y la adversidad las prueba." Autor desconocido
sent 0, rcvd 80
pportatil@portatil:/

Nessus Scan Report
------------------



SUMMARY

- Number of hosts which were alive during the test : 1
- Number of security holes found : 2
- Number of security warnings found : 6
- Number of security notes found : 5



TESTED HOSTS

192.168.1.34 (Security holes found)



DETAILS

+ 192.168.1.34 :
. List of open ports :
o echo (7/tcp) (Security notes found)
o discard (9/tcp) (Security warnings found)
o daytime (13/tcp) (Security notes found)
o qotd (17/tcp) (Security warnings found)
o chargen (19/tcp) (Security notes found)
o loc-srv (135/tcp) (Security hole found)
o netbios-ssn (139/tcp)
o microsoft-ds (445/tcp)
o ntp (123/udp) (Security notes found)
o netbios-ns (137/udp) (Security warnings found)
o general/tcp (Security warnings found)
o snmp (161/udp) (Security hole found)
o chargen (19/udp) (Security warnings found)
o qotd (17/udp) (Security warnings found)

. Information found on port echo (7/tcp)


An echo server is running on this port

. Warning found on port discard (9/tcp)



The remote host is running a 'discard' service. This service
typically sets up a listening socket and will ignore all the
data which it receives.

This service is unused these days, so it is advised that you
disable it.


Solution :

- Under Unix systems, comment out the 'discard' line in /etc/inetd.conf
and restart the inetd process

- Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Par ameters\EnableTcpDiscard

Then launch cmd.exe and type :

net stop simptcp
net start simptcp

To restart the service.


Risk factor : Low
CVE : CAN-1999-0636

. Information found on port daytime (13/tcp)


An unknown server is running on this port.
If you know what it is, please send this banner to the Nessus team:
00: 32 31 3a 33 31 3a 30 37 20 32 37 2f 30 35 2f 32 21:31:07 27/05/2
10: 30 30 35 0a 005.






. Warning found on port qotd (17/tcp)



The quote service (qotd) is running on this host.

A server listens for TCP connections on TCP port 17. Once a connection
is established a short message is sent out the connection (and any
data received is thrown away). The service closes the connection
after sending the quote.

Another quote of the day service is defined as a datagram based
application on UDP. A server listens for UDP datagrams on UDP port 17.
When a datagram is received, an answering datagram is sent containing
a quote (the data in the received datagram is ignored).


An easy attack is 'pingpong' which IP spoofs a packet between two machines
running qotd. This will cause them to spew characters at each other,
slowing the machines down and saturating the network.



Solution :

- Under Unix systems, comment out the 'qotd' line in /etc/inetd.conf
and restart the inetd process

- Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Par ameters\EnableTcpQotd
HKLM\System\CurrentControlSet\Services\SimpTCP\Par ameters\EnableUdpQotd

Then launch cmd.exe and type :

net stop simptcp
net start simptcp

To restart the service.

Risk factor : Low
CVE : CVE-1999-0103

. Information found on port qotd (17/tcp)


An unknown server is running on this port.
If you know what it is, please send this banner to the Nessus team:
00: 22 4c 61 20 65 78 70 65 72 69 65 6e 63 69 61 20 "La experiencia
10: 65 73 20 61 6c 67 6f 20 71 75 65 20 73 65 20 63 es algo que se c
20: 6f 6e 73 69 67 75 65 20 63 75 61 6e 64 6f 20 79 onsigue cuando y
30: 61 20 6e 6f 20 73 65 20 6e 65 63 65 73 69 74 61 a no se necesita
40: 2e 22 20 41 75 74 6f 72 20 64 65 73 63 6f 6e 6f ." Autor descono
50: 63 69 64 6f 0d 0a cido..




. Information found on port chargen (19/tcp)


Chargen is running on this port

. Vulnerability found on port loc-srv (135/tcp) :



The remote host is running a version of Windows which has a flaw in
its RPC interface which may allow an attacker to execute arbitrary code
and gain SYSTEM privileges. There is at least one Worm which is
currently exploiting this vulnerability. Namely, the MsBlaster worm.

Solution: see
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
Risk factor : High
CVE : CAN-2003-0352
BID : 8205
Other references : IAVA:2003-A-0011

. Information found on port ntp (123/udp)



A NTP (Network Time Protocol) server is listening on this port.

Risk factor : Low

. Warning found on port netbios-ns (137/udp)


The following 6 NetBIOS names have been gathered :
2XPIII = This is the computer name registered for workstation
services by a WINS client.
LOCAL = Workgroup / Domain name
2XPIII = Computer name
LOCAL = Workgroup / Domain name (part of the Browser elections)
LOCAL
__MSBROWSE__
The remote host has the following MAC address on its adapter :
00:11:95:b8:ce:0b

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621

. Warning found on port general/tcp



The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.

An attacker may use this feature to determine traffic patterns
within your network. A few examples (not at all exhaustive) are:

1. A remote attacker can determine if the remote host sent a packet
in reply to another request. Specifically, an attacker can use your
server as an unwilling participant in a blind portscan of another
network.

2. A remote attacker can roughly determine server requests at certain
times of the day. For instance, if the server is sending much more
traffic after business hours, the server may be a reverse proxy or
other remote access device. An attacker can use this information to
concentrate his/her efforts on the more critical machines.

3. A remote attacker can roughly estimate the number of requests that
a web server processes over a period of time.


Solution : Contact your vendor for a patch
Risk factor : Low

. Vulnerability found on port snmp (161/udp) :



SNMP Agent responded as expected with community name: public
CVE : CAN-1999-0517, CAN-1999-0186, CAN-1999-0254, CAN-1999-0516
BID : 11237, 10576, 177, 2112, 6825, 7081, 7212, 7317, 9681
Other references : IAVA:2001-B-0001

. Warning found on port chargen (19/udp)



The remote host is running a 'chargen' service.

When contacted, chargen responds with some random characters (something
like all the characters in the alphabet in a row). When contacted via UDP,
it
will respond with a single UDP packet. When contacted via TCP, it will
continue spewing characters until the client closes the connection.

The purpose of this service was to mostly to test the TCP/IP protocol
by itself, to make sure that all the packets were arriving at their
destination unaltered. It is unused these days, so it is suggested
you disable it, as an attacker may use it to set up an attack against
this host, or against a third party host using this host as a relay.

An easy attack is 'ping-pong' in which an attacker spoofs a packet between
two machines running chargen. This will cause them to spew characters at
each other, slowing the machines down and saturating the network.

Solution :

- Under Unix systems, comment out the 'chargen' line in /etc/inetd.conf
and restart the inetd process

- Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Par ameters\EnableTcpChargen
HKLM\System\CurrentControlSet\Services\SimpTCP\Par ameters\EnableUdpChargen

Then launch cmd.exe and type :

net stop simptcp
net start simptcp

To restart the service.


Risk factor : Low
CVE : CVE-1999-0103

. Warning found on port qotd (17/udp)



The quote service (qotd) is running on this host.

A server listens for TCP connections on TCP port 17. Once a connection
is established a short message is sent out the connection (and any
data received is thrown away). The service closes the connection
after sending the quote.

Another quote of the day service is defined as a datagram based
application on UDP. A server listens for UDP datagrams on UDP port 17.
When a datagram is received, an answering datagram is sent containing
a quote (the data in the received datagram is ignored).


An easy attack is 'pingpong' which IP spoofs a packet between two machines
running qotd. This will cause them to spew characters at each other,
slowing the machines down and saturating the network.



Solution :

- Under Unix systems, comment out the 'qotd' line in /etc/inetd.conf
and restart the inetd process

- Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Par ameters\EnableTcpQotd
HKLM\System\CurrentControlSet\Services\SimpTCP\Par ameters\EnableUdpQotd

Then launch cmd.exe and type :

net stop simptcp
net start simptcp

To restart the service.

Risk factor : Low
CVE : CVE-1999-0103




------------------------------------------------------
This file was generated by the Nessus Security Scanner