Re: use Nmap to find W32/Bagle.e@MM ?

[Michael_Maloney <Michael_Maloney () MIDDLESEXCC EDU>]

Just curious,

Has anyone else seen false positives looking for Bagle on this port?  So far
I've found a few systems that were shown to have this port open, but all
scans and manual searches came up clean.

 Mike


********************************************
Mike Maloney
Sr. System Engineer
Middlesex County College
2600 Woodbridge Avenue
Edison, NJ 08818
Phone: 732-906-7754
Cell: 908-217-2086
Fax: 732-906-4266
Email: Michael_Maloney () middlesexcc edu
********************************************
-----Original Message-----
From: Scott Weeks [mailto:sweeks () SANDIEGO EDU]
Sent: Wednesday, March 03, 2004 12:05 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] use Nmap to find W32/Bagle.e@MM ?

Hello Everyone,

Is this a suffucient method to find the W32/Bagle.e@MM infected machines?

   [root@localhost root]# nmap -P0 -p 2745 111.222.111.0/24

I see too many of these to believe as many machines as I've found are all
infected.  At least I HOPE so...

   Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
   Interesting ports on  (111.222.111.222):
   Port       State       Service
   2745/tcp   filtered    unknown

They all say "filtered" on this port.  That's what's throwing me off...


The ones I believe may not be infected show this:

   The 1 scanned port on machine.university.edu (111.222.111.221) is:
   closed


Thanks!
scott

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.