Educause Security Discussion mailing list archives
Re: use Nmap to find W32/Bagle.e@MM ?
From: Herrera Reyna Omar <omar_herrera () BANXICO ORG MX>
Date: Wed, 3 Mar 2004 13:07:37 -0600
Saludos, Omar Herrera
-----Mensaje original----- De: Jeff Kell [mailto:jeff-kell () UTC EDU] Enviado el: MiƩrcoles, 03 de Marzo de 2004 01:00 PM Para: SECURITY () LISTSERV EDUCAUSE EDU Asunto: Re: [SECURITY] use Nmap to find W32/Bagle.e@MM ? Scott Weeks wrote:Is this a suffucient method to find the W32/Bagle.e@MM infected machines? [root@localhost root]# nmap -P0 -p 2745 111.222.111.0/24 I see too many of these to believe as many machines as I've found are all infected. At least I HOPE so... Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (111.222.111.222): Port State Service 2745/tcp filtered unknown They all say "filtered" on this port. That's what's throwing me off..."Filtered" means the machine is up but a SYN is silently discarded with no resulting ACK or ICMP unreachable. The backdoor may have a "secret handshake" to get it to do anything.
Or, more precisely, something blocked the response, but you have no clear indication of whether the port is open or not. The corresponding RFC states that a machine will respond with SYN+ACK to SYN petitions if the port is open, and should respond with an RST if it is closed. Filtered means that no response was received (might be firewalled) but still, this doesn't mean it is closed or open. Regards, Omar Herrera ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- use Nmap to find W32/Bagle.e@MM ? Scott Weeks (Mar 03)
- <Possible follow-ups>
- Re: use Nmap to find W32/Bagle.e@MM ? Matthew Dalton (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Brian Eckman (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Scott Weeks (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Pete Hoffswell (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Scott Weeks (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Jeff Kell (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Herrera Reyna Omar (Mar 03)
- Re: use Nmap to find W32/Bagle.e@MM ? Michael_Maloney (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Gary Flynn (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Gary Flynn (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Matthew Dalton (Mar 04)
- Re: use Nmap to find W32/Bagle.e@MM ? Michael_Maloney (Mar 04)