Educause Security Discussion mailing list archives
Re: Strange port 135 probing, possibly a bot
From: Peter Moody <peter () UCSC EDU>
Date: Thu, 18 Nov 2004 12:45:51 -0800
I haven't seen anything posted about unusual tcp/135 activity, although there was an upswing in it according to DShield (before their database went belly-up). Has anyone seen anything like this recently?
Have you checked for irc flows from these hosts? If they're part of a botnet, then they're going to be connecting back to something to get the commands to scan/exploit/etc. Remember that bots are moving off 6667 so you're probably going to have to do some manual work in finding commonalities between the flows of these hosts (checking times of flow starts to would-be command and control servers against times of scan initiation). Regards, -Peter -- Peter Moody <peter () ucsc edu> Information Security Administrator 831/459.5409 Communications and Technology Services. UC, Santa Cruz. http://security.ucsc.edu/pgp/peter.moody.pub AS5739 :wq ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: Strange port 135 probing, possibly a bot Christian Grewell (Nov 17)
- <Possible follow-ups>
- Strange port 135 probing, possibly a bot Jeff Kell (Nov 18)
- Re: Strange port 135 probing, possibly a bot Peter Moody (Nov 18)
- Re: Strange port 135 probing, possibly a bot Doug Pearson (Nov 18)
- Re: Strange port 135 probing, possibly a bot Steven Alexander (Nov 18)
- Re: Strange port 135 probing, possibly a bot Bob Kehr (Nov 18)
- Re: Strange port 135 probing, possibly a bot Wayne J. Hauber (Nov 18)