RE: Nachi Worm

["Norman Girard" <ngirard () qualys com>]

That's true. As soon as the box is infected, the port 707 is open and offers a remote shell access. But the port is 
actually dynamic if the port was already open before the infection.
 
The trouble is that Nessus will just tell you that the port is open. And it's pretty tough to highlight it on a yellow 
page book report based on couple of class-B scan... ;-)

-----Original Message-----
From: Discini, Sonny [mailto:Sonny.Discini () montgomerycountymd gov]
Sent: Thursday, December 04, 2003 2:24 PM
To: Norman Girard; David Loyd; isp-security () isp-securtiy com
Cc: full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] Nachi Worm


Actually, if you scan for port 707 and it is open, you can be sure that the box is infected. This is how we pinpoint 
Welchia/Nachia infections. 
 
 
Sonny Discini
Network Security Engineer
Department of Technology Services
Enterprise Infrastructure Division
Montgomery County Government
-----Original Message-----
From: Norman Girard [mailto:ngirard () qualys com] 
Sent: Thursday, December 04, 2003 3:32 PM
To: David Loyd; isp-security () isp-securtiy com
Cc: full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] Nachi Worm


Dave,
 
You can scan but only through the registry access. You need to provide the login credentials of the domain...

-----Original Message-----
From: David Loyd [mailto:2of2 () unimatrix01 us]
Sent: Thursday, December 04, 2003 11:53 AM
To: isp-security () isp-securtiy com
Cc: full-disclosure () lists netsys com
Subject: [Full-disclosure] Nachi Worm


Does any one know if you can sacn of the nachi worm or the rpc.dcom vulnerability with nessus
 
Thanks

Dave