Security Incidents mailing list archives

Re: Help - a possible bot

From: "Jon Nelson" <quincy () linuxnotes net>
Date: Sat, 16 Nov 2002 09:47:00 -0500 (EST)


Moshe Aelion said:

Hi everybody

discovered within about 10 minutes. I then installed ZoneAlarm Pro.


Did you have a firewall before?  Now that you have one you'll see how much
137/udp traffic you get, it's a lot.


inspecting ZA logs, you can see a blocked scan (coming every couple of
minutes, from arbitrary addresses - I bet they're spoofed - and soon
after, the computer responds with a (blocked) attempt to communicated
with that address. This points to an active bot (in my opinion)


I don't see where "...the computer immediately tries to respond"  All the
incoming attempts are NetBios 137/udp and the RuLaunch is HTTP (80/tcp)
and not to the same IP.

8  ACCESS,22:01:52,RuLaunch blocked from connecting to Internet
(216.49.88.100:HTTP)


As far as the program being blocked, a google search for "RuLaunch" shows
that it is Macafee, your antivirus software.  It's probably checking for
updates/registration.

Jon



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

re: Help - a possible bot H C (Nov 17)
- Re: Help - a possible bot Moshe Aelion (Nov 25)
  - Re: Help - a possible bot Ryan Yagatich (Nov 26)
- <Possible follow-ups>
- RE: Help - a possible bot Dan Perez (Nov 17)
- Re: Help - a possible bot Nick FitzGerald (Nov 17)
- Re: Help - a possible bot Emeric Miszti (Nov 17)
  - Re: Help - a possible bot Moshe Aelion (Nov 25)
- Re: Help - a possible bot Jon Nelson (Nov 17)
  - Re: Help - a possible bot Mally Mclane (Nov 19)