Educause Security Discussion mailing list archives

Re: "Stealth" Agobot/Gaobot?

From: Mark Wilson <wilsodm () AUBURN EDU>
Date: Tue, 27 Apr 2004 15:59:20 -0500

We have seen quite a few of these on our network.  When I nmap, all
65635 ports BTW, I usually see a random high port, sometimes 2.  This is
generally the case.  On some occasions I see what you are seeing, no
open ports above say 5000.

Mark Wilson
GCIA, CISSP #53153
Network Security Specialist
Auburn University
(334) 844-9347

jeff-kell () UTC EDU 4/27/2004 3:41:29 PM >>>

Twice today I have seen indications of Agobot infections.  As has been
my usual procedure, I nmap the beast, try nbtscan for NetBIOS info,
then
shut down the port.  But nmap indicates nothing other than
135/139/1025
and the scanning stops.

Is this a new "stealth bot" that shuts down or sleeps for awhile if it
detects a scan?

This is getting creepy.

Jeff Kell
University of Tennessee at Chattanooga

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Attachment: Mark Wilson.vcf
Description:

Current thread:

"Stealth" Agobot/Gaobot? Jeff Kell (Apr 27)
- <Possible follow-ups>
- Re: "Stealth" Agobot/Gaobot? Mark Wilson (Apr 27)
- Re: "Stealth" Agobot/Gaobot? Brian Eckman (Apr 27)
- Re: "Stealth" Agobot/Gaobot? Brian Eckman (Apr 29)