Educause Security Discussion mailing list archives
Re: use Nmap to find W32/Bagle.e@MM ?
From: Jeff Kell <jeff-kell () UTC EDU>
Date: Wed, 3 Mar 2004 13:59:44 -0500
Scott Weeks wrote:
Is this a suffucient method to find the W32/Bagle.e@MM infected machines? [root@localhost root]# nmap -P0 -p 2745 111.222.111.0/24 I see too many of these to believe as many machines as I've found are all infected. At least I HOPE so... Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (111.222.111.222): Port State Service 2745/tcp filtered unknown They all say "filtered" on this port. That's what's throwing me off...
"Filtered" means the machine is up but a SYN is silently discarded with no resulting ACK or ICMP unreachable. The backdoor may have a "secret handshake" to get it to do anything. Jeff ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- use Nmap to find W32/Bagle.e@MM ? Scott Weeks (Mar 03)
- <Possible follow-ups>
- Re: use Nmap to find W32/Bagle.e@MM ? Matthew Dalton (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Brian Eckman (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Scott Weeks (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Pete Hoffswell (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Scott Weeks (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Jeff Kell (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Herrera Reyna Omar (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Michael_Maloney (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Gary Flynn (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Gary Flynn (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Matthew Dalton (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Michael_Maloney (Mar 04)