Educause Security Discussion mailing list archives
Re: use Nmap to find W32/Bagle.e@MM ?
From: Matthew Dalton <Matthew.Dalton () ROCHESTER EDU>
Date: Thu, 4 Mar 2004 09:38:42 -0500
Just being picky, but: nmap -V gives the version. What you probably meant was nmap -sV. -- ************************************************************************** |Matthew Dalton |Phone: (585)273-1721 | |ITS Security Group |Email: Matthew.Dalton () rochester edu | |University of Rochester | | |Rochester, NY 14620 | | ************************************************************************** On Thu, 4 Mar 2004, Gary Flynn wrote:
Gary Flynn wrote:Michael_Maloney wrote:Just curious, Has anyone else seen false positives looking for Bagle on this port? So far I've found a few systems that were shown to have this port open, but all scans and manual searches came up clean.Use fport or 'netstat -ano' to see what process is holding the port open.P.S. nmap 3.5 has a service identification function (nmap -V). Using responses and interactive queries it will try to determine what server process is listening on the port. If it doesn't recognize the service, it generates a report indicating the response it saw. That report, along with information about the process actually found on the computer, can be submitted to the nmap project for inclusion in future releases of the service database. Even before then, it could possibly be used to identify a Bagle, or any other malware, process remotely on the basis of more than just an open port. I haven't had time to look at it too closely to determine its real capabilities in detail, but it would seem that a community effort to submit the signatures of trojans and other malware would be a good thing. -- Gary Flynn Security Engineer - Technical Services James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: use Nmap to find W32/Bagle.e@MM ?, (continued)
- Re: use Nmap to find W32/Bagle.e@MM ? Matthew Dalton (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Brian Eckman (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Scott Weeks (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Pete Hoffswell (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Scott Weeks (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Jeff Kell (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Herrera Reyna Omar (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Michael_Maloney (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Gary Flynn (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Gary Flynn (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Matthew Dalton (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Michael_Maloney (Mar 04)