Incident: 03-12-02 tcp:123

What's on tcp:123?

See: http://www.neohapsis.com/neolabs/neo-ports/neo-ports.svcs

NetController   123/tcp         #[trojan] Net Controller
NetController   123/tcp         #[trojan] Net Controller
ntp             123/tcp         #Network Time Protocol
ntp             123/udp         #Network Time Protocol

The obvious is ntp; which I use myself to syncronize system times on four Linux boxes; see: http://www.eecis.udel.edu/~mills/ntp.htm

To quote:

"The Network Time Protocol (NTP) is widely used in the Internet to synchronize computer clocks to national standard time. The NTP architecture, protocol and algorithms have evolved well over two decades to the NTP Version 3 specification and implementations for Unix, VMS and Windows, as well as the NTP Version 4 implementation now being deployed. The architecture and security models provide for operation in point-to-point (unicast) and point-to-multipoint (multicast) modes, and include provisions for secure authentication using both symmetric key and public key cryptography."

and it's exclusively udp, and it's exclusively intermittent conversations between (in my case..) Stratum 2 time servers and a host (in my case, my firewall..) that provides time synch signals for an internal network.

CERT shows no vulnerabilities for ntp: http://www.cert.org/current/current_activity.html


So what about this Net Controller deal?

See: http://www.simovits.com/trojans/tr_data/y1142.html

   Name: Net Controller
Aliases:
  Ports: 123,  6969      (ports can be changed)
  Files: Netcontroller.zip - 614,439 bytes 
         Netcontroller2000.zip - 719,774 bytes 
         Netctrlr.exe - 314,368 bytes
         Netctrlr.exe - 374,272 bytes 
         Netsrvr.exe - 306,688 bytes 
         Netsrvr.exe - 351,232 bytes 
         System.exe -  Config.ini - 4,087 bytes 
         Config.ini - 3,633 bytes
 Created: July 1999
Requires:
 Actions: Remote Access / Keylogger / FTP server
          The client is similar to the older versions of NetBus.
Versions: 1.08,  2000, 
Registers: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurrentVersion\Run\
    Notes: Works on Windows 95, 98, ME and NT.
  Country: written in Brazil

So here's what I saw, trying to connect to *me*


snort2html.plx

Mar 12 20:04:08 - snort [1:0:0] TCP to 123 ntp 
  Source IP: 211.184.140.152   Source port: 2310 
Source host: 211.184.140.152
  Target IP: 12.82.141.8   Target port: 123   Proto: TCP 
Target host: 8.seattle-15-20rs.wa.dial-access.att.net


snort packet capture:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/12-20:04:08.441571 211.184.140.152:2310 -> 12.82.141.8:123
TCP TTL:42 TOS:0x0 ID:54713 IpLen:20 DgmLen:60 DF
******S* Seq: 0xFE8C9E93  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 78715899 0 NOP WS: 0 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


TTL decrement from 64 = Linux, OpenBSD, AIX
Win size = 0x7d78 = Linux
TCP options = 5 = MSS, Timestamps, SAckOK, wscale, 1 nop = Linux
SYN packet length = 60 = Linux

So what are they doing, probing for a Window$ trojan?

What *are* they doing...?

Whois they?

BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

Request: 211.184.140.152
connecting to whois.arin.net [192.149.252.22:43] ...
connecting to WHOIS.APNIC.NET [202.12.29.13:43] ... 

% Rights restricted by copyright. See http://www.apnic.net/db/dbcopyright.html
% (whois6.apnic.net) 

inetnum:     211.172.0.0 - 211.199.255.255
netname:     KRNIC-KR
descr:       KRNIC
descr:       Korea Network Information Center
country:     KR
admin-c:     HM127-AP
tech-c:      HM127-AP
remarks:     ******************************************
remarks:     KRNIC is the National Internet Registry
remarks:     in Korea under APNIC. If you would like to
remarks:     find assignment information in detail
remarks:     please refer to the KRNIC Whois DB
remarks:     http://whois.nic.or.kr/english/index.html
remarks:     ******************************************



# ENGLISH 

IP Address         : 211.184.140.128-211.184.140.191
Network Name       : BOSUNG-GMS
Connect ISP Name   : PUBNET
Connect Date       : 20001115
Registration Date  : 20001127 

[ Organization Information ]
Orgnization ID     : ORG148929
Org Name           : BOSUNG GIRL MIDDLE SCHOOL
State              : CHONNAM
Address            : 295-3 USANRI BOSEONGEUB BOSEONGKUN
Zip Code           : 546-800 

[ Admin Contact Information]
Name               : Jungsool Jung
Org Name           : BOSUNG GIRL MIDDLE SCHOOL
State              : CHONNAM
Address            : 295-3 USANRI BOSEONGEUB BOSEONGKUN
Zip Code           : 546-800
Phone              : +82-61-751-0073
Fax                : +82-61-751-0073
E-Mail             : jeonnam3@soback.kornet.net 

[ Technical Contact Information ]
Name               : Jungsool Jung
Org Name           : BOSUNG GIRL MIDDLE SCHOOL
State              : CHONNAM
Address            : 295-3 USANRI BOSEONGEUB BOSEONGKUN
Zip Code           : 546-800
Phone              : +82-61-751-0073
Fax                : +82-61-751-0073
E-Mail             : jeonnam3@soback.kornet.net



jsage@finchhaven.com
Last modified: Sat Mar 16 16:15:43 2002