Educause Security Discussion mailing list archives
Re: Am I the only one?
From: Jason Richardson <a00jer1 () WPO CSO NIU EDU>
Date: Wed, 14 Apr 2004 19:02:24 -0500
We have had good luck NMAP scanning for machines listening on port 2745. In every case (a few dozen at this point) the machine has ended up being infected with some variant of Phatbot/Polybot/Agobot and/or the Bagle worm. --- Jason Richardson, J.D., CISSP, CISM, CNE5 Manager, IT Security and Client Development Enterprise Systems Support Northern Illinois University Voice: 815-753-1678 Fax: 815-753-2555 jasrich () niu edu
wilsodm () AUBURN EDU 4/14/2004 5:03:31 PM >>>
I was asked earlier: When you say scan high ports, where do you start? I usually use nmap and scan all 65535 ports. Typically the worm/trojan program runs on ports 10000 and above. As far as detection, we have a sniffer box on our border and some on our core networks. To locate infected machines we sniff for dst port 135, 445, 1025, 2745, 3127 and 6129. After an infection is found, we nmap scan. We don't scan for patch levels or AV updates. Like I mentioned, these latest worm varients kill AV upon infection. 3 things I suggest: 1. Check for blank/weak admin password and change. 2. Download fport from foundstone (do a google) and run on infected machine. Fport is like the linux netstat. When executed, it will list all running programs and the port and program associated with each port. 3. When you find the malware, SEND IT TO YOUR AV VENDOR. In the past week we have sent 3 varients to Mcafee and each time McAfee has developed new sigs for the varient. Once found, kill the process and try to clean system in SAFE mode. Of course you can also delete. We have always found the botware in \winnt\system32 folder and it seems to always be 190-196 KB. 4. Clean/AV scan the machine in SAFE mode. Otherwise, the malware will kill AV and AV will not run. These are very nasty. An IRC channel is opened and remote commands are issued to the infected machines. It also steals keys for some games. Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347
SANDY () BUMAIL BRADLEY EDU 4/14/2004 11:37:30 AM >>>
Hi there - we are being hit with this and are being swamped trying to locate instances of the worm. Do you scan machines for windows and virus updates? If so, what products(s) do you use? This is something we have not seriously considered before; however, this new batch of worms are insidious and users have not noticed ill-effects so they are not reporting it. Sandra J. Helms Director of Academic Computing Bradley University 1501 W. Bradley Avenue Peoria, IL 61625 309.677.2808 sandy () bradley edu -----Original Message----- From: Mark Wilson [mailto:wilsodm () AUBURN EDU] Sent: Wednesday, April 14, 2004 10:25 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Am I the only one? We have seen this extensively on our network. It is the AgoBot/GaoBOt worm/trojan or varient. It also goes by the name polybot. Nasty little booger. It installs a backdoor and scans for "blank" or weak admin passwords, various MS vulnerabilities, and DameWare (port 6129) weaknesses. It kills most anti-virus processes/programs. Seems to be particularly bad on University networks. If you do an nmap scan, you will find high ports open. Most times when you telnet into the trojan port (BTW, it changes on each infection), you will get: 220 Bot Server (Win32) It has remote command and DOS functionality. Useful Links: http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?V Name=WORM_AGOBOT.HN&VSect=T http://vil.nai.com/vil/content/v_101100.htm http://www.lurhq.com/phatbot.html http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.ul.ht ml Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347
jim.pollard () MAIL UTEXAS EDU 4/14/2004 9:50:18 AM >>>
Or did I miss it on Bugtraq? Recently I've noticed a scan pattern in my logs and wonder if anyone might recognize it as either a known virus or some kiddie scanning tool looking for virus backdoors? There are some variations... occasionally port 80 and 8080 are included. Service: 1025 (tcp/1025) (net2fw:DROP:,eth1,none) - 2 packets (take your pick... either network blackjack or an assortment of viruses and backdoors) Service: 2745 (tcp/2745) (:net2fw:DROP:,eth1,none) - 2 packets (Beagle virus) Service: 3127 (tcp/3127) (:net2fw:DROP:,eth1,none) - 2 packets (MyDoom virus) Service: 6129 (tcp/6129) (net2fw:DROP:,eth1,none) - 3 packets (W32.Mockbot) also Dameware Thanks! Jim ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Am I the only one? Jim Pollard (Apr 14)
- <Possible follow-ups>
- Re: Am I the only one? Mark Wilson (Apr 14)
- Re: Am I the only one? Dan Jones (Apr 14)
- Re: Am I the only one? Helms, Sandra (Apr 14)
- Re: Am I the only one? Jim Pollard (Apr 14)
- Re: Am I the only one? Are Leif Garn}sjordet (Apr 14)
- Re: Am I the only one? Kathy Bergsma (Apr 14)
- Re: Am I the only one? Mark Wilson (Apr 14)
- Re: Am I the only one? Jason Richardson (Apr 14)