Educause Security Discussion mailing list archives
Re: "Stealth" Agobot/Gaobot?
From: Mark Wilson <wilsodm () AUBURN EDU>
Date: Tue, 27 Apr 2004 15:59:20 -0500
We have seen quite a few of these on our network. When I nmap, all 65635 ports BTW, I usually see a random high port, sometimes 2. This is generally the case. On some occasions I see what you are seeing, no open ports above say 5000. Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347
jeff-kell () UTC EDU 4/27/2004 3:41:29 PM >>>
Twice today I have seen indications of Agobot infections. As has been my usual procedure, I nmap the beast, try nbtscan for NetBIOS info, then shut down the port. But nmap indicates nothing other than 135/139/1025 and the scanning stops. Is this a new "stealth bot" that shuts down or sleeps for awhile if it detects a scan? This is getting creepy. Jeff Kell University of Tennessee at Chattanooga ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Attachment:
Mark Wilson.vcf
Description:
Current thread:
- "Stealth" Agobot/Gaobot? Jeff Kell (Apr 27)
- <Possible follow-ups>
- Re: "Stealth" Agobot/Gaobot? Mark Wilson (Apr 27)
- Re: "Stealth" Agobot/Gaobot? Brian Eckman (Apr 27)
- Re: "Stealth" Agobot/Gaobot? Brian Eckman (Apr 29)