Re: use Nmap to find W32/Bagle.e@MM ?

[Herrera Reyna Omar <omar_herrera () BANXICO ORG MX>]

Saludos,
Omar Herrera

> -----Mensaje original-----
> De: Jeff Kell [mailto:jeff-kell () UTC EDU]
> Enviado el: Miércoles, 03 de Marzo de 2004 01:00 PM
> Para: SECURITY () LISTSERV EDUCAUSE EDU
> Asunto: Re: [SECURITY] use Nmap to find W32/Bagle.e@MM ?
>
> Scott Weeks wrote:
>
> > Is this a suffucient method to find the W32/Bagle.e@MM infected machines?
> >
> >    [root@localhost root]# nmap -P0 -p 2745 111.222.111.0/24
> >
> > I see too many of these to believe as many machines as I've found are all
> > infected.  At least I HOPE so...
> >
> >    Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> >    Interesting ports on  (111.222.111.222):
> >    Port       State       Service
> >    2745/tcp   filtered    unknown
> >
> > They all say "filtered" on this port.  That's what's throwing me off...
>
> "Filtered" means the machine is up but a SYN is silently discarded with
> no resulting ACK or ICMP unreachable.  The backdoor may have a "secret
> handshake" to get it to do anything.

Or, more precisely, something blocked the response, but you have no clear indication of whether the port is open or 
not. The corresponding RFC states that a machine will respond with SYN+ACK to SYN petitions if the port is open, and 
should respond with an RST if it is closed.

Filtered means that no response was received (might be firewalled) but still, this doesn't mean it is closed or open.

Regards,

Omar Herrera

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.