Educause Security Discussion mailing list archives
Re: Strange port 135 probing, possibly a bot
From: Christian Grewell <christian () NYU EDU>
Date: Thu, 18 Nov 2004 00:00:00 GMT
Also, you way want to examine which process 'owns' the port on the infected machines. I use a free tool from Sysinternals (www.sysinternals.com) called Process Explorer to examine the process on Windows machines - quite handy in cases like this. -----Original Message----- From: Peter Moody <peter () UCSC EDU> Date: Thu, 18 Nov 2004 12:45:51 To:SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Strange port 135 probing, possibly a bot
I haven't seen anything posted about unusual tcp/135 activity, although there was an upswing in it according to DShield (before their database went belly-up). Has anyone seen anything like this recently?
Have you checked for irc flows from these hosts? If they're part of a botnet, then they're going to be connecting back to something to get the commands to scan/exploit/etc. Remember that bots are moving off 6667 so you're probably going to have to do some manual work in finding commonalities between the flows of these hosts (checking times of flow starts to would-be command and control servers against times of scan initiation). Regards, -Peter -- Peter Moody <peter () ucsc edu> Information Security Administrator 831/459.5409 Communications and Technology Services. UC, Santa Cruz. http://security.ucsc.edu/pgp/peter.moody.pub AS5739 :wq ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. --------- Christian Grewell ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Strange port 135 probing, possibly a bot Christian Grewell (Nov 17)
- <Possible follow-ups>
- Strange port 135 probing, possibly a bot Jeff Kell (Nov 18)
- Re: Strange port 135 probing, possibly a bot Peter Moody (Nov 18)
- Re: Strange port 135 probing, possibly a bot Doug Pearson (Nov 18)
- Re: Strange port 135 probing, possibly a bot Steven Alexander (Nov 18)
- Re: Strange port 135 probing, possibly a bot Bob Kehr (Nov 18)
- Re: Strange port 135 probing, possibly a bot Wayne J. Hauber (Nov 18)