Re: Windows and port scans

From: Kirk Marat <kirk_marat_at_umanitoba.ca>
Date: Mon, 18 Mar 2002 12:06:01 -0600

----- Original Message -----
> From: "Woodrow Conover" <woody_at_acornnmr.com>
> To: <ammrl_at_chemnmr.colorado.edu>
> Sent: Saturday, March 16, 2002 11:31 AM
> Subject: RE: Windows and port scans


> Michael Strain wrote:
> > Don't assume that the only security threats to Windows are from e-mail
> > viruses and worms. Back-Orifice being a famous example.
> >
> > While it is true that UNIX systems on the net will log
> > numerous scans everyday, it is also true that Windows systems
> > are also scanned...you are just less likely to actually
> > detect the scans... and the ensuant compromises.
>
> Very true. If you install ZoneAlarm on a windows computer, it detects
> and shows you all port scans. There are just as many port scans of a
> Windows box as a Linux box.
>
> ZoneAlarm would be a good thing to put on any Windows machine
> connected to the internet. It does a good job of keeping the
> port scanning script kiddies out of a Windows box. ZoneAlarm
> will not stop email viruses.
>

Yes, Michael and Woody are quite right. The scanners usually hit a
whole address range and therefore the Wintel boxes as well. We use
something called Black Ice Defender, which I think is very similar to
Zone Alarm and functions like TCP wrappers on a UNIX/LINUX box.

Here are some sample log entries from my WIN 2000 machine:

Time, Event, Intruder, Count
18/03/2002 01:56:40 AM, FTP port probe,
ABoulogne-110-1-2-78.abo.wanadoo.fr, 2
17/03/2002 08:52:42 PM, HTTP port probe, PASTOR, 3
16/03/2002 07:42:24 PM, SMTP port probe,
CTPP-p-144-134-37-224.prem.tmns.net.au, 1

Note that my friends at wanadoo.fr are still at it...

The program even digs up as much information as possible about the intruder:
IP: 63.209.85.76
Node: PASTOR
Group: UPA
NetBIOS: PASTOR

MAC: 005345000000
DNS: dialup-63.209.85.76.Dial1.LosAngeles1.Level3.net

What the scanners are usually looking for are known openings - usually
buffer overflow vulnerabilities - in the daemons that are generally installed
as default on UNIX systems (e.g. ftpd, telnetd, httpd, smtpd,etc.). The problem
we have run into is that the owners of these systems often don't even know that
these services are running. These services are less often installed on Windows
systems (and certainly not as default) and this therefore USUALLY makes them
less of a security problem. UNIX is designed as a fully multi-tasking
multi-user
OS with remote access and sysadmin built right in, and this is what makes it
so powerful - and such a tempting target.

Back Orifice actually required software to be installed on the target machine
in order to allow the remote access, usually arriving as a Trojan horse with
other software. It could not, by itself, be installed by a remote attacker.

Cheers
-Kirk

Kirk Marat, Ph. D.
Dept. of Chemistry
University of Manitoba
Winnipeg, MB, R3T 2N2, CANADA
ph. (204) 474-6259 FAX: (204) 474-7608
kirk_marat_at_umanitoba.ca
Received on Mon Mar 18 2002 - 16:19:55 MST