Notes on TaskInfo

http://www.iss.net/security_center/advice/Exploits/Ports
Just click on the Port number to get an explanation of what it does

On the WebServers we only need Port 21 for FTP and especially Port 80 and
may be 88 for Web sites.

We also use port 8383 for the iMail Server email system.
http://www.iss.net/security_center/advice/Exploits/Ports/8383/default.htm
I made it so that when you type http://CICorp.com/e
the default.htm redirects you to http://CICorp.com:8383
"e" is easier to remember than 8383

A lot of people are using our Ports
42 =nameserv, WINS   Windows Internet Naming System
135 =loc-srv/epmap - Locator Service
http://www.iss.net/security_center/advice/Exploits/Ports/135/
445 = SMB  Server Message Block protocol for sharing files, printers, etc.
http://samba.anu.edu.au/cifs/docs/what-is-smb.html

How can we shut these off?

Some seem to be open needless, and have no users
25 =SMTP  (outgoing email is stopped on WS1, only WS4 allows outgoing email)
53  =DNS   (maybe this is necessary for Domain Name System?)
500 = ISAKMP, pluto  (any idea what this is?)


I noticed in Task Info that "Mr. 210.222.122.174" was accessing
67.102.243.47 via Port 80.
http://dnsstuff.com/tools/whois.ch?ip=210.222.122.174

Then I went to our list of IPs.  We have almost all the IPs filled on WS1
from 67.102.243.001 to 199 except for the 67.102.243.41 - 46 range

So, since these IPs are not active, I'll just set a dummy site to them, then
Stop the service.

Some guy from China at 218.65.243.64 seems interested in 67.102.243.42 even
after it was stopped. So maybe he is using the IP for some other purpose.
http://dnsstuff.com/tools/whois.ch?ip=218.65.243.64

So, I am blocking the Web Site attached to 67.102.243.42, but not the IP
itself.

I went to the Properties for the Ethernet card connected to Covad.net, then
Advanced to go to the list of IPs.  I had typed in all of them from 1 to
199.  I deleted 67.102.243.42 and so long China man!

Port 53 is open for all the IPs but no one seems to be using them. Same with
Port 500, and some in the 1000-500 range

I delted the FTP for 67.102.243.82 (ACTCA.org) since we don't really need
it.  But the guy who already established a connection is stilll
"ESTABLISHED"   But when he logs out, he won't be able to get back in.  This
guy si 172.207.91.231
http://dnsstuff.com/tools/whois.ch?ip=172.207.91.231
He is an America Online users (maybe Ravi) interested in the
http://ACTCA.org

So the ones that hackers seem to be using are Ports 42, 135, 445

Some guy from 70.17.100.141 is using Terminal Services on Port 3389, and
using the Verizon DSL service - Hey that's you David Tocus!
 


Thanks.  This is fun, and educational.  The TaskInfo program is SO useful!

I blasted whoever was scanning us, or downloading via FTP.  Zapped
him right out, then the DU Meter went back to normal.

The FTP site for ACTCA.org was on, so I stopped it from running in IIS
It also had the Anonymous connection checked.  (I missed this one.)

We don't need this as we have an FTP to get to the whole server.
Only certain web site clients have FTP, like SomaDirect and
FairfieldIowaRealEstate.com - who do their own web design.

We really only need Port 21 for limited FTP activity, and Port 80
for our Web Sites.

The seem to be an average of 30 people looking at our web sites
around this time.  I see a lot of people are looking at
67.102.243.83 - http://CameraInstall.com



Someone is using some ports we don't need.  a lot are on Port 42

http://www.esecurityplanet.com/trends/article.php/3454841
"The Research and Education Networking Information Sharing and Analysis
Center (REN-ISAC) at Indiana University has also reported an increase in
port 42 scanning since Dec. 31, with traffic exceeding 5000 packets every 15
minutes on Jan 1"

How can we block out Port 42?

I'll try the Microsoft Windows security update, after our customer finishes
uploading on Port 21 a database to convert.

This is so cool - finally being able to see what's going on with our
Servers?


----- Original Message -----
From: "David" <dt041054@yahoo.com>
To: "Rick Shaddock 2468" <rick@cicorp.com>
Sent: Friday, April 01, 2005 4:56 PM
Subject: I found him


I'm continually discovering amazing new things that
taskinfo can do.

If you run it, there are 3 panes plus the graphs. the
upper-right pane is a window with a bunch of tabs.
click on the "connections" tab.

It shows details of every ip connection, including
protocol, ip and url, and more.

Click on the "local port" column to sort on it.  the
FTP sessions will be at the top.

Of the 7 active FTP sessions, 5 are from france.
They're in a block of addreswses owned by
abo.wanadoo.fr.

My French is rusty, but www.wanadoo.fr is a portal
site with weather, shopping links, etc similar to
crystalcity.com.  Like us, they're also an ISP.

The IPs were assigned by the IANA (Intetnet Assigned
Numbers Authority) in California.

abuse email contact is: abuse@iana.org
abuse phone contact: 1-310-301-5820

But fefore you pick up the phone, those IPs are
managed by RIPE NCC (Réseaux IP Européens), which
manages all European IP addresses.

They're in Amsterdam, and their abuse email is
abuse@ripe.net

They're the ones who assigned the IP block to
wanadoo.fr.

SO who is actually using these addresses?

The status of those addresses is "unallocated",
defined by IANA as:
the addresses are reserved for future allocation. No
one should be using these addresses now. These
addresses will be assigned for use in the public
Internet in the future.

Note that the source IP in the packets can be spoofed
to an unallocated address to mask the real sender, but
this isn't happening because they're recieving data as
well as sending it.

That's how we know which nodes of wanadoo.fr are being
used, and where they're located.  The hacker is suing
five internet connections in the cities of Orleans,
Lyon (2) , and Marsielles (2).

Note that if these addresses are hijacked, that the
wiley hacker could switch to a new unallocated IP
block any time.

SO:

1) Do we know anyone in france?

2) Shall I lock out those IP addresses?

3) Shall I continue with this and find out exactly
what they're uploading?

Science Officer standing by for further instructions,
Commander!

=[ d