Educause Security Discussion mailing list archives
Re: Worm activity/port 445
From: James Riden <j.riden () MASSEY AC NZ>
Date: Tue, 8 Feb 2005 10:51:16 +1300
"Yantis, Jonathan Lindsey" <YantisJ () COFC EDU> writes:
This is agobot or one of the many many botnet variants. They use practically every exploit out there to spread and there are tons of different versions. Watching IRC is the easiest way to catch them. We discovered them on our network due to them launching DDoS attacks from our network commanded by an IRC channel. The two tools I use for finding these bots are these commands on linux sniffing internet traffic: tcpdump -n -i eth1 tcp port 6667 or tcp port 6668 or tcp port 6669 or port 7000 ngrep -q -d eth1 "JOIN \#" not tcp port 80 and not tcp port 25 and not udp
snort with the 'bleeding' ruleset is also useful.
PS: because of the sheer amount of different versions, AV will not always catch nor be able to clean the boxes.
Although our AV vendor quickly updated their sigs when sent a sample. This is probably the easiest way to fix machines if you have more than a few compromised. cheers, Jamie -- James Riden / j.riden () massey ac nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Worm activity/port 445 Craig Blaha (Feb 04)
- <Possible follow-ups>
- Re: Worm activity/port 445 Matt Kirchhoff (Feb 04)
- Re: Worm activity/port 445 Kevin Pait (Feb 04)
- Re: Worm activity/port 445 Eric van Wiltenburg (Feb 04)
- Re: Worm activity/port 445 Gary Flynn (Feb 04)
- Re: Worm activity/port 445 Mark Wilson (Feb 04)
- Re: Worm activity/port 445 Peter Charbonneau (Feb 07)
- Re: Worm activity/port 445 Joseph Vieira (Feb 07)
- Re: Worm activity/port 445 Valdis Kletnieks (Feb 07)
- Re: Worm activity/port 445 Yantis, Jonathan Lindsey (Feb 07)
- Re: Worm activity/port 445 James Riden (Feb 07)