Educause Security Discussion mailing list archives

Re: use Nmap to find W32/Bagle.e@MM ?

From: Brian Eckman <eckman () UMN EDU>
Date: Wed, 3 Mar 2004 11:15:13 -0600

Scott Weeks wrote:

Hello Everyone,

Is this a suffucient method to find the W32/Bagle.e@MM infected machines?

   [root@localhost root]# nmap -P0 -p 2745 111.222.111.0/24


I'd do -PI. If the host doesn't ping, it probably won't have 2745/tcp
open. But you will very possibly miss a host or two this way. It's a
matter of personal preference.


I see too many of these to believe as many machines as I've found are all
infected.  At least I HOPE so...

   Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
   Interesting ports on  (111.222.111.222):
   Port       State       Service
   2745/tcp   filtered    unknown

They all say "filtered" on this port.  That's what's throwing me off...


The filtered hosts are probably running a software firewall or are IP
addresses not in use. Hosts with the Beagle.c through Beagle.j (or
Bagle.c through Bagle.j depending on your AV company) backdoor will
indeed report that port as "open" and not "filtered" when using nMap.

Identifying that it is indeed the Beagle backdoor and not something else
may be quite difficult. It is not an open proxy, so pxytest won't help
you. I've found that a telnet to that port followed by a one second
pause then a carriage return will almost always result in the remote
(infected) host closing the telnet session. However, that still doesn't
guarantee that it's Beagle/Bagle. If pressing Enter several times
doesn't terminate the Telnet session, it is almost definitely *not*
Beagle/Bagle.

If someone knows how to determine whether or not it is Beagle/Bagle on
that port, I'd love to hear how (as I'm sure would others on the list).

Thanks,
Brian

--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota


"There are 10 types of people in this world. Those who
understand binary and those who don't."

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

use Nmap to find W32/Bagle.e@MM ? Scott Weeks (Mar 03)
- <Possible follow-ups>
- Re: use Nmap to find W32/Bagle.e@MM ? Matthew Dalton (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Brian Eckman (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Scott Weeks (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Pete Hoffswell (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Scott Weeks (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Jeff Kell (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Herrera Reyna Omar (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Michael_Maloney (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Gary Flynn (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Gary Flynn (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Matthew Dalton (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Michael_Maloney (Mar 04)