Security Incidents mailing list archives
Re: Help - a possible bot
From: "Jon Nelson" <quincy () linuxnotes net>
Date: Sat, 16 Nov 2002 09:47:00 -0500 (EST)
Moshe Aelion said:
Hi everybody discovered within about 10 minutes. I then installed ZoneAlarm Pro.
Did you have a firewall before? Now that you have one you'll see how much 137/udp traffic you get, it's a lot.
inspecting ZA logs, you can see a blocked scan (coming every couple of minutes, from arbitrary addresses - I bet they're spoofed - and soon after, the computer responds with a (blocked) attempt to communicated with that address. This points to an active bot (in my opinion)
I don't see where "...the computer immediately tries to respond" All the incoming attempts are NetBios 137/udp and the RuLaunch is HTTP (80/tcp) and not to the same IP.
8 ACCESS,22:01:52,RuLaunch blocked from connecting to Internet (216.49.88.100:HTTP)
As far as the program being blocked, a google search for "RuLaunch" shows that it is Macafee, your antivirus software. It's probably checking for updates/registration. Jon ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- re: Help - a possible bot H C (Nov 17)
- Re: Help - a possible bot Moshe Aelion (Nov 25)
- Re: Help - a possible bot Ryan Yagatich (Nov 26)
- <Possible follow-ups>
- RE: Help - a possible bot Dan Perez (Nov 17)
- Re: Help - a possible bot Nick FitzGerald (Nov 17)
- Re: Help - a possible bot Emeric Miszti (Nov 17)
- Re: Help - a possible bot Moshe Aelion (Nov 25)
- Re: Help - a possible bot Jon Nelson (Nov 17)
- Re: Help - a possible bot Mally Mclane (Nov 19)
- Re: Help - a possible bot Moshe Aelion (Nov 25)