Educause Security Discussion mailing list archives
Re: use Nmap to find W32/Bagle.e@MM ?
From: Brian Eckman <eckman () UMN EDU>
Date: Wed, 3 Mar 2004 11:15:13 -0600
Scott Weeks wrote:
Hello Everyone, Is this a suffucient method to find the W32/Bagle.e@MM infected machines? [root@localhost root]# nmap -P0 -p 2745 111.222.111.0/24
I'd do -PI. If the host doesn't ping, it probably won't have 2745/tcp open. But you will very possibly miss a host or two this way. It's a matter of personal preference.
I see too many of these to believe as many machines as I've found are all infected. At least I HOPE so... Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (111.222.111.222): Port State Service 2745/tcp filtered unknown They all say "filtered" on this port. That's what's throwing me off...
The filtered hosts are probably running a software firewall or are IP addresses not in use. Hosts with the Beagle.c through Beagle.j (or Bagle.c through Bagle.j depending on your AV company) backdoor will indeed report that port as "open" and not "filtered" when using nMap. Identifying that it is indeed the Beagle backdoor and not something else may be quite difficult. It is not an open proxy, so pxytest won't help you. I've found that a telnet to that port followed by a one second pause then a carriage return will almost always result in the remote (infected) host closing the telnet session. However, that still doesn't guarantee that it's Beagle/Bagle. If pressing Enter several times doesn't terminate the Telnet session, it is almost definitely *not* Beagle/Bagle. If someone knows how to determine whether or not it is Beagle/Bagle on that port, I'd love to hear how (as I'm sure would others on the list). Thanks, Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota "There are 10 types of people in this world. Those who understand binary and those who don't." ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- use Nmap to find W32/Bagle.e@MM ? Scott Weeks (Mar 03)
- <Possible follow-ups>
- Re: use Nmap to find W32/Bagle.e@MM ? Matthew Dalton (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Brian Eckman (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Scott Weeks (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Pete Hoffswell (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Scott Weeks (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Jeff Kell (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Herrera Reyna Omar (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Michael_Maloney (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Gary Flynn (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Gary Flynn (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Matthew Dalton (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Michael_Maloney (Mar 04)