Educause Security Discussion mailing list archives
Re: use Nmap to find W32/Bagle.e@MM ?
From: Michael_Maloney <Michael_Maloney () MIDDLESEXCC EDU>
Date: Thu, 4 Mar 2004 10:25:46 -0500
Thanks Gary.. I'm running a older version here (1.31) for Windows... Gonna get the latest and throw it on a linux box and see if it helps resolve this issue. Mike ******************************************** Mike Maloney Sr. System Engineer Middlesex County College 2600 Woodbridge Avenue Edison, NJ 08818 Phone: 732-906-7754 Cell: 908-217-2086 Fax: 732-906-4266 Email: Michael_Maloney () middlesexcc edu ******************************************** -----Original Message----- From: Gary Flynn [mailto:flynngn () JMU EDU] Sent: Thursday, March 04, 2004 9:16 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] use Nmap to find W32/Bagle.e@MM ? Gary Flynn wrote:
Michael_Maloney wrote:Just curious, Has anyone else seen false positives looking for Bagle on this port? So far I've found a few systems that were shown to have this port open, but all scans and manual searches came up clean.Use fport or 'netstat -ano' to see what process is holding the port open.
P.S. nmap 3.5 has a service identification function (nmap -V). Using responses and interactive queries it will try to determine what server process is listening on the port. If it doesn't recognize the service, it generates a report indicating the response it saw. That report, along with information about the process actually found on the computer, can be submitted to the nmap project for inclusion in future releases of the service database. Even before then, it could possibly be used to identify a Bagle, or any other malware, process remotely on the basis of more than just an open port. I haven't had time to look at it too closely to determine its real capabilities in detail, but it would seem that a community effort to submit the signatures of trojans and other malware would be a good thing. -- Gary Flynn Security Engineer - Technical Services James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: use Nmap to find W32/Bagle.e@MM ?, (continued)
- Re: use Nmap to find W32/Bagle.e@MM ? Brian Eckman (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Scott Weeks (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Pete Hoffswell (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Scott Weeks (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Jeff Kell (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Herrera Reyna Omar (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Michael_Maloney (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Gary Flynn (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Gary Flynn (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Matthew Dalton (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Michael_Maloney (Mar 04)