Educause Security Discussion mailing list archives
Re: Worm activity/port 445
From: "Yantis, Jonathan Lindsey" <YantisJ () COFC EDU>
Date: Mon, 7 Feb 2005 16:30:01 -0500
This is agobot or one of the many many botnet variants. They use practically every exploit out there to spread and there are tons of different versions. Watching IRC is the easiest way to catch them. We discovered them on our network due to them launching DDoS attacks from our network commanded by an IRC channel. The two tools I use for finding these bots are these commands on linux sniffing internet traffic: tcpdump -n -i eth1 tcp port 6667 or tcp port 6668 or tcp port 6669 or port 7000 ngrep -q -d eth1 "JOIN \#" not tcp port 80 and not tcp port 25 and not udp The first one will get clients trying to connect on standard ports and the second one will watch for IRC joins on non-standard ports. When you find the commanding IRC host put a block on outgoing to it and see what it catches. We found about 3 different variants on our network connecting to three different IRC servers. If you want to know more, search botnets and agobot on google. Hope this helps PS: because of the sheer amount of different versions, AV will not always catch nor be able to clean the boxes. -- Jonathan Yantis - yantisj () cofc edu - (843-953-7770) ________________________________ From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joseph Vieira Sent: Monday, February 07, 2005 11:04 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Worm activity/port 445 We have also been seeing a lot of this activity. Open port 113 (IRC auth port) -- random userid Propagation via, unprotected windows files shareing and lsass etc. vulnerabilities I have also noticed UDP port 69 open and running tftp on a lot of these machines Various other symptoms Root kit's installed in %windir%/system32/drivers/etc IRC server running on one machine I port scan for TCP 113 and UDP 69 to identify potential infections, and also watch for high volumes of traffic along port 6667 Joe Vieira Desktop Security Analyst Information Technology Services Clark University 508.793.7287 -----Original Message----- From: Kevin Pait [mailto:kevin.pait () UNCP EDU] Sent: Friday, February 04, 2005 3:22 PM Subject: Re: Worm activity/port 445 We've been fighting this problem for the past two weeks. It seems that the virus we have been afflicted with is an unknown variant of the W32/Sdbot.worm. The variant we have drops a virus called Qhost which causes pc's to redirect away from common anti-virus sites, windows updates, etc. McAfee provided an extra.dat to try and combat the worm but it hasn't worked well. Their latest definition file has seemed to rid the virus from some systems while others can't totally shake it. It has been very time consuming for our support staff as our only totally successful recourse has been to format, reinstall, and apply updates totally offline. Check traffic on ports 135, 445, and 1025 - this is how we have identified afflicted pc's. Affected machines are W2000 and XP - some having most of their updates and latest virus definitions in place. Good luck. ________________________________ From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Craig Blaha Sent: Friday, February 04, 2005 2:55 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Worm activity/port 445 We're seeing a lot of 445 scanning and an increasing rate of infection - users complaining about a wide array of pop-ups, redirects and other spyware type symptoms, slowing their systems to a crawl. Anyone else seeing something similar? Craig -- Craig Blaha Associate Director Information Policy, Security and Web Development The College of New Jersey PO Box 7718 Ewing, NJ 08628 www.tcnj.edu -------------------------------------------------------------- Reminder: E-mail sent through the Internet is not secure. Do not use e-mail to send confidential information such as credit card numbers, changes of address, PIN numbers, passwords, or other important information. Your e-mail message is not private in that it is subject to review by the College, its officers, agents and employees. -------------------------------------------------------------- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Worm activity/port 445 Craig Blaha (Feb 04)
- <Possible follow-ups>
- Re: Worm activity/port 445 Matt Kirchhoff (Feb 04)
- Re: Worm activity/port 445 Kevin Pait (Feb 04)
- Re: Worm activity/port 445 Eric van Wiltenburg (Feb 04)
- Re: Worm activity/port 445 Gary Flynn (Feb 04)
- Re: Worm activity/port 445 Mark Wilson (Feb 04)
- Re: Worm activity/port 445 Peter Charbonneau (Feb 07)
- Re: Worm activity/port 445 Joseph Vieira (Feb 07)
- Re: Worm activity/port 445 Valdis Kletnieks (Feb 07)
- Re: Worm activity/port 445 Yantis, Jonathan Lindsey (Feb 07)
- Re: Worm activity/port 445 James Riden (Feb 07)