Educause Security Discussion mailing list archives

Re: use Nmap to find W32/Bagle.e@MM ?

From: Matthew Dalton <Matthew.Dalton () ROCHESTER EDU>
Date: Thu, 4 Mar 2004 09:38:42 -0500

Just being picky, but:

nmap -V gives the version.  What you probably meant was nmap -sV.

--
**************************************************************************
|Matthew Dalton                     |Phone: (585)273-1721                |
|ITS Security Group                 |Email: Matthew.Dalton () rochester edu |
|University of Rochester            |                                    |
|Rochester, NY 14620                |                                    |
**************************************************************************

On Thu, 4 Mar 2004, Gary Flynn wrote:

Gary Flynn wrote:

Michael_Maloney wrote:

Just curious,

Has anyone else seen false positives looking for Bagle on this port?
So far
I've found a few systems that were shown to have this port open, but all
scans and manual searches came up clean.



Use fport or 'netstat -ano' to see what process
is holding the port open.



P.S. nmap 3.5 has a service identification function
(nmap -V). Using responses and interactive queries
it will try to determine what server process is
listening on the port.

If it doesn't recognize the service, it generates
a report indicating the response it saw. That
report, along with information about the process
actually found on the computer, can be submitted
to the nmap project for inclusion in future releases
of the service database. Even before then, it could
possibly be used to identify a Bagle, or any other
malware, process remotely on the basis of more than
just an open port.

I haven't had time to look at it too closely to
determine its real capabilities in detail, but it
would seem that a community effort to submit the
signatures of trojans and other malware would be
a good thing.

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Re: use Nmap to find W32/Bagle.e@MM ?, (continued)
- Re: use Nmap to find W32/Bagle.e@MM ? Matthew Dalton (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Brian Eckman (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Scott Weeks (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Pete Hoffswell (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Scott Weeks (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Jeff Kell (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Herrera Reyna Omar (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Michael_Maloney (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Gary Flynn (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Gary Flynn (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Matthew Dalton (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Michael_Maloney (Mar 04)