Educause Security Discussion mailing list archives

Re: Strange port 135 probing, possibly a bot

From: Peter Moody <peter () UCSC EDU>
Date: Thu, 18 Nov 2004 12:45:51 -0800

I haven't seen anything posted about unusual tcp/135 activity, although
there was an upswing in it according to DShield (before their database
went belly-up).  Has anyone seen anything like this recently?


Have you checked for irc flows from these hosts?  If they're part of a
botnet, then they're going to be connecting back to something to get the
commands to scan/exploit/etc.  Remember that bots are moving off 6667 so
you're probably going to have to do some manual work in finding
commonalities between the flows of these hosts (checking times of flow
starts to would-be command and control servers against times of scan
initiation).

Regards,
-Peter

-- 
Peter Moody                             <peter () ucsc edu>
Information Security Administrator          831/459.5409
Communications and Technology Services.   UC, Santa Cruz.
http://security.ucsc.edu/pgp/peter.moody.pub      AS5739
:wq

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Re: Strange port 135 probing, possibly a bot Christian Grewell (Nov 17)
- <Possible follow-ups>
- Strange port 135 probing, possibly a bot Jeff Kell (Nov 18)
- Re: Strange port 135 probing, possibly a bot Peter Moody (Nov 18)
- Re: Strange port 135 probing, possibly a bot Doug Pearson (Nov 18)
- Re: Strange port 135 probing, possibly a bot Steven Alexander (Nov 18)
- Re: Strange port 135 probing, possibly a bot Bob Kehr (Nov 18)
- Re: Strange port 135 probing, possibly a bot Wayne J. Hauber (Nov 18)