Port Scan 12/312003
192.168.1.1 GWRouter
23 Telnet
80 WWW
192.168.1.4    [Unknown]
139 NETBIOS
192.168.1.6 USER04
135 DCE
139 NETBIOS
192.168.1.7    [Unknown]
139 NETBIOS
192.168.1.9    [Unknown]
139 NETBIOS
192.168.1.13    [Unknown]
139 NETBIOS
192.168.1.14    [Unknown]
135 DCE
139 NETBIOS
192.168.1.15    [Unknown]
80[1] World Wide Web HTTP
  HTTP/1.1 200 OK..Date: Thu, 13 May 2004 18:53:02 GMT..Server: Apache/1.3.26 (Unix)..Last-Modified: Sat, 27 Apr 2002 00:00:44 GM
515 spooler
9100 HP JetDirect Printer Server
192.168.1.16    [Unknown]
139 NETBIOS
192.168.1.17    [Unknown]
135 DCE
139 NETBIOS
1027 ICQ?
192.168.1.18 USER03
135 DCE
139 NETBIOS
445 Microsoft-DS
192.168.1.20 SERVER02
53 DNS
88 Kerberos
139 NETBIOS
389 LDAP
445 Microsoft-DS
464 kpasswd
636 ssl-ldap
9993[2] Palace
  220  Welcome to Bot FTP service...
192.168.1.21 USER12
135 DCE
139 NETBIOS
445 Microsoft-DS
1025 network blackjack
192.168.1.26 USER01
113[3] Authentication
  5625, 6667 : USERID : UNIX : dR-[05915]..
135 DCE
139 NETBIOS
445 Microsoft-DS
192.168.1.27 USER07
135 DCE
139 NETBIOS
445 Microsoft-DS
1025 network blackjack
5000 ?
192.168.1.30    [Unknown]
135 DCE
139 NETBIOS
1027 ICQ?
192.168.1.31 USER08
113 Authentication
  2641, 113 : USERID : UNIX : kupfwmhrpr..........................
139 NETBIOS
192.168.1.32 USER10
135 DCE
139 NETBIOS
445 Microsoft-DS
1027 ICQ?
192.168.1.210 AURIGA (Test system)
135 DCE
139 NETBIOS
445 Microsoft-DS

[1]
PFB:
This is a potential problem if the Telnet and web access ports are not properly secured. In this case the attack took place via the telent port since there was no password security
[2]
PFB:
This is another potential problem an unsecured printer
[3]
PFB:
This is were the problem started after the router was compromised. This port is transfering files from USER01 and USER08 to and from the internet using the Server20 as transfer agent
[4]
PFB:
This system and Workstation31 had hoho/ directory containing hundreds of virus and programing files use for testing of worms.