Honeypots mailing list archives

RE: track worm virus on NT/W2K machines

From: Luis Miguel Silva <lms () ispgaya pt>
Date: Fri, 22 Aug 2003 15:17:55 +0100

Somebody posted to this mailing list with a solution about using honeyd to help you patch your network.
What he did basicly was:
a) listen for traffic on port 135.
b) when contacted, connect to the source host on port 4444 (since the "exploit"/worm opens this port)
c) execute some commands...(like downloading the patch and executing it)!

Look for this mailing list for his original post!

Regards,
+-----------------------------------------
| Luis Miguel Silva
| Network Administrator@ ISPGaya.pt
| Rua Antonio Rodrigues da Rocha, 291/341 
| Sto. Ovidio . 4400-025 V. N. de Gaia
| Portugal
| T: +351 22 3745730/3/5  F: +351 22 3745738
| G: +351 93 6371253      E: lms () ispgaya pt
| H: http://lms.ispgaya.pt/
+----------------------------------------- 

-----Mensagem original-----
De: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu]
Enviada: sexta-feira, 22 de Agosto de 2003 14:43
Para: Mohd Adam Baharun
Cc: honeypots () securityfocus com
Assunto: Re: track worm virus on NT/W2K machines 


On Thu, 01 Jan 1998 00:12:12 +0800, Mohd Adam Baharun <adamxx7 () streamyx com>  said:

I would like some suggestion on what software to use / be good if its free, 
so that I can install on one of my NT or W2K servers to track down worms 
like the current WELCHIA, BLASTER and DUMARU. My organization networks are 
currently badly hit by these worms. Please help.


For Welchia/Nachi, all you need to do is look for ICMP PING traffic.  Even
'tcpdump -i ethX icmp' should be enough to get you started.

Blaster you'll probably need Snort or similar, because you can't just look
for port 135 traffic, you need a more detailed signature.

I *think* both tcpdump and Snort are available for Windows platforms, but I
would suggest that you get yourself a *NON* Windows box for this sort of thing,
for a *VERY* good reason:

If you're trying to examine an unknown meltdown that's affecting Windows boxes,
the *LAST* thing you want is to hook up a Windows-based monitor and have it
get compromised as well, probably before you know it.....

Software diversity is a Good Thing.

Current thread:

track worm virus on NT/W2K machines Mohd Adam Baharun (Aug 22)
- Re: track worm virus on NT/W2K machines Valdis . Kletnieks (Aug 22)
  - RE: track worm virus on NT/W2K machines Luis Miguel Silva (Aug 22)
    - Re: track worm virus on NT/W2K machines oudot (Aug 22)
  - Re: track worm virus on NT/W2K machines oudot (Aug 23)
- <Possible follow-ups>
- Re: track worm virus on NT/W2K machines Andrew . Patrick (Aug 22)
  - Re: track worm virus on NT/W2K machines Jack Whitsitt (jofny) (Aug 22)
- Re: track worm virus on NT/W2K machines Steve Alameda (Aug 22)
  - MODERATOR: Re: track worm virus on NT/W2K machines Lance Spitzner (Aug 22)