RE: P2P applications scanning? Trojan? Malicious users?

["Alessandro Volpi" <Info () AVolpi com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jeff, Hi all...
In a similar situation I get some help by Nessus...
Assuming that you are running it in an environment that is a MS Domain and you can use an account with "Domain Admin" 
or "Enterprise Admin" you can configure some plug ins of Nessus to use these credentials to enumerate the running 
process of the remote MS host...
You can then check out the list of what is running to find out what it can be considered as suspicius...

Good Luck... as I had working out this issue! :)

Alessandro Volpi
MCP, CCNA

Pretty Good Privacy FingerPrint: 2358 B960 06E4 3440 DFFB  FD5A 40DE 3492 8E20 EFE5



> -----Original Message-----
> From: Jeff Kell [mailto:jeff-kell () utc edu] 
> Sent: Tuesday, October 07, 2003 8:10 PM
> To: Incidents
> Subject: P2P applications scanning? Trojan? Malicious users?
>
>
> During the outbreak of Blaster/Nachi/Welchia, we installed a 
> tarpit on 
> the dorm network to catch the scans that each performed.  It was 
> relatively effective, especially after we automated anaysis 
> of the logs 
> and programmatically switched off infected ports.
>
> However, as a side effect of the tarpit, now that things are settling 
> down, is that I am seeing very peculiar scans being performed 
> by other 
> systems in the dorms.  I have seen scans on obvious P2P ports 
> (tcp/1214 
> for example) but some equally strange scans that I have been 
> unable to 
> pinpoint or google a clue.  Many of these go trapped for days (or 
> weeks).  They are not full-subnet scans (well, possibly a 
> class C) and 
> they tend to grow over time.
>
> Does anyone know of P2P, or P2P helper applications that perform this 
> type of scan?  We are a bit hesitant to shut them down 
> without some clue 
> as to what they are doing, and if it is intentional or some new 
> application that is "working as designed".
>
> Some of the ports currently being scanned now (all TCP, the tarpit 
> doesn't catch UDP, generally speaking):
>
> 1064
> 1354
> 1416
> 2138
> 2141
> 2414
> 2622
> 2657
> 3111
> 3174
> 3947
> 1658
>
> Some of these have hundreds of threads captured dating back a 
> week (and 
> growing slowly but daily).
>
> Jeff Kell
> Network Services/ISO
> University of Tennessee at Chattanooga
>
>
>
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQCVAwUBP4Qj4UDeNJKOIO/lAQKnTQP/dmyuMdzpM7KaFfXhTM4/W1qxUA+hxIaa
KIjY3lw2P9xXWy7Y6SR7qB0Wg0opyXiC+ebMPURE/WjQZA7kRJTYmhwKzZg6VKRa
BzATMswYzVk/8mYKh49ra3otQYtTkoeq03ZLOANblM0KDjWb2xV9yt+Eru0tAjXo
Jb8nw9oMv+k=
=4mxn
-----END PGP SIGNATURE-----



_________________________________________________________________
Il servizio Postemail sottopone tutti i documenti a una scansione
automatica antivirus con i programmi TREND MICRO.

---------------------------------------------------------------------------
----------------------------------------------------------------------------