Honeypots mailing list archives
Re: track worm virus on NT/W2K machines
From: Valdis.Kletnieks () vt edu
Date: Fri, 22 Aug 2003 09:43:24 -0400
On Thu, 01 Jan 1998 00:12:12 +0800, Mohd Adam Baharun <adamxx7 () streamyx com> said:
I would like some suggestion on what software to use / be good if its free, so that I can install on one of my NT or W2K servers to track down worms like the current WELCHIA, BLASTER and DUMARU. My organization networks are currently badly hit by these worms. Please help.
For Welchia/Nachi, all you need to do is look for ICMP PING traffic. Even 'tcpdump -i ethX icmp' should be enough to get you started. Blaster you'll probably need Snort or similar, because you can't just look for port 135 traffic, you need a more detailed signature. I *think* both tcpdump and Snort are available for Windows platforms, but I would suggest that you get yourself a *NON* Windows box for this sort of thing, for a *VERY* good reason: If you're trying to examine an unknown meltdown that's affecting Windows boxes, the *LAST* thing you want is to hook up a Windows-based monitor and have it get compromised as well, probably before you know it..... Software diversity is a Good Thing.
Attachment:
_bin
Description:
Current thread:
- track worm virus on NT/W2K machines Mohd Adam Baharun (Aug 22)
- Re: track worm virus on NT/W2K machines Valdis . Kletnieks (Aug 22)
- RE: track worm virus on NT/W2K machines Luis Miguel Silva (Aug 22)
- Re: track worm virus on NT/W2K machines oudot (Aug 22)
- Re: track worm virus on NT/W2K machines oudot (Aug 23)
- RE: track worm virus on NT/W2K machines Luis Miguel Silva (Aug 22)
- <Possible follow-ups>
- Re: track worm virus on NT/W2K machines Andrew . Patrick (Aug 22)
- Re: track worm virus on NT/W2K machines Jack Whitsitt (jofny) (Aug 22)
- Re: track worm virus on NT/W2K machines Steve Alameda (Aug 22)
- MODERATOR: Re: track worm virus on NT/W2K machines Lance Spitzner (Aug 22)
- Re: track worm virus on NT/W2K machines Valdis . Kletnieks (Aug 22)