Educause Security Discussion mailing list archives
Re: "Stealth" Agobot/Gaobot?
From: Brian Eckman <eckman () UMN EDU>
Date: Tue, 27 Apr 2004 16:06:40 -0500
Jeff Kell wrote:
Twice today I have seen indications of Agobot infections. As has been my usual procedure, I nmap the beast, try nbtscan for NetBIOS info, then shut down the port. But nmap indicates nothing other than 135/139/1025 and the scanning stops. Is this a new "stealth bot" that shuts down or sleeps for awhile if it detects a scan?
I had a variant today that showed up in an nMap. I telnetted to it and it threw its stream of garbage at me. I then went to netcat it and the port was closed. It's only happened this one time, and I have no good explanation for it. However that may not be related to what you are reporting. I guess it would help to know what your indications were. Something else could be acting like it as well. I also seem to remember Agobot variants only opening up their high numbered ports after finding its first victim. If you notice one too quickly after initial infection, it may not have opened the ports yet. Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- "Stealth" Agobot/Gaobot? Jeff Kell (Apr 27)
- <Possible follow-ups>
- Re: "Stealth" Agobot/Gaobot? Mark Wilson (Apr 27)
- Re: "Stealth" Agobot/Gaobot? Brian Eckman (Apr 27)
- Re: "Stealth" Agobot/Gaobot? Brian Eckman (Apr 29)