Security Incidents mailing list archives
RE: P2P applications scanning? Trojan? Malicious users?
From: "Alessandro Volpi" <Info () AVolpi com>
Date: Wed, 8 Oct 2003 16:49:11 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Jeff, Hi all... In a similar situation I get some help by Nessus... Assuming that you are running it in an environment that is a MS Domain and you can use an account with "Domain Admin" or "Enterprise Admin" you can configure some plug ins of Nessus to use these credentials to enumerate the running process of the remote MS host... You can then check out the list of what is running to find out what it can be considered as suspicius... Good Luck... as I had working out this issue! :) Alessandro Volpi MCP, CCNA Pretty Good Privacy FingerPrint: 2358 B960 06E4 3440 DFFB FD5A 40DE 3492 8E20 EFE5
-----Original Message----- From: Jeff Kell [mailto:jeff-kell () utc edu] Sent: Tuesday, October 07, 2003 8:10 PM To: Incidents Subject: P2P applications scanning? Trojan? Malicious users? During the outbreak of Blaster/Nachi/Welchia, we installed a tarpit on the dorm network to catch the scans that each performed. It was relatively effective, especially after we automated anaysis of the logs and programmatically switched off infected ports. However, as a side effect of the tarpit, now that things are settling down, is that I am seeing very peculiar scans being performed by other systems in the dorms. I have seen scans on obvious P2P ports (tcp/1214 for example) but some equally strange scans that I have been unable to pinpoint or google a clue. Many of these go trapped for days (or weeks). They are not full-subnet scans (well, possibly a class C) and they tend to grow over time. Does anyone know of P2P, or P2P helper applications that perform this type of scan? We are a bit hesitant to shut them down without some clue as to what they are doing, and if it is intentional or some new application that is "working as designed". Some of the ports currently being scanned now (all TCP, the tarpit doesn't catch UDP, generally speaking): 1064 1354 1416 2138 2141 2414 2622 2657 3111 3174 3947 1658 Some of these have hundreds of threads captured dating back a week (and growing slowly but daily). Jeff Kell Network Services/ISO University of Tennessee at Chattanooga -------------------------------------------------------------- ------------- -------------------------------------------------------------- --------------
-----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 iQCVAwUBP4Qj4UDeNJKOIO/lAQKnTQP/dmyuMdzpM7KaFfXhTM4/W1qxUA+hxIaa KIjY3lw2P9xXWy7Y6SR7qB0Wg0opyXiC+ebMPURE/WjQZA7kRJTYmhwKzZg6VKRa BzATMswYzVk/8mYKh49ra3otQYtTkoeq03ZLOANblM0KDjWb2xV9yt+Eru0tAjXo Jb8nw9oMv+k= =4mxn -----END PGP SIGNATURE----- _________________________________________________________________ Il servizio Postemail sottopone tutti i documenti a una scansione automatica antivirus con i programmi TREND MICRO. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- P2P applications scanning? Trojan? Malicious users? Jeff Kell (Oct 08)
- RE: P2P applications scanning? Trojan? Malicious users? Alessandro Volpi (Oct 08)