Educause Security Discussion mailing list archives
Re: Strange port 135 probing, possibly a bot
From: Steven Alexander <alexander.s () MCCD EDU>
Date: Thu, 18 Nov 2004 13:26:33 -0800
The SysInternals' Process Explorer will tell you everything that is running on the system and what files, registry keys and DLLs each process is using: http://www.sysinternals.com/ntw2k/freeware/procexp.shtml SysInternals' TCP View will tell you which processes are connected to each TCP/UDP endpoint on the system: http://www.sysinternals.com/ntw2k/source/tcpview.shtml I hope this helps. Steven Alexander Programmer Analyst Merced College -----Original Message----- From: Jeff Kell [mailto:jeff-kell () UTC EDU] Sent: Thursday, November 18, 2004 12:36 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Strange port 135 probing, possibly a bot For the past few days we have had a dozen or two machines pop up with some as-yet-unidentified virus/worm/bot that appears to try to connect to random addresses in the same /8 subnet as the host on tcp/135. I have seen no other traffic from these hosts. I can't get a packet capture of any meaningful payload because the outgoing SYNs are being blocked by our access lists at the border. nmaps are not terribly consistent other than all apparently sharing tcp/113 being open. Symantec AV with latest definitions doesn't find anything, nor does SpyBot, HijackThis, Stinger, or a number of other tools we have tried. Our field crews have come up empty thus far and I'm waiting on an empty machine for forensics. The startup registry entries didn't have any glowing sore thumbs, so the beast is well hidden, or installs as a wrapper to a legitimate service. I haven't seen anything posted about unusual tcp/135 activity, although there was an upswing in it according to DShield (before their database went belly-up). Has anyone seen anything like this recently? Jeff Kell System/Network Security University of Tennessee at Chattanooga ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Strange port 135 probing, possibly a bot Christian Grewell (Nov 17)
- <Possible follow-ups>
- Strange port 135 probing, possibly a bot Jeff Kell (Nov 18)
- Re: Strange port 135 probing, possibly a bot Peter Moody (Nov 18)
- Re: Strange port 135 probing, possibly a bot Doug Pearson (Nov 18)
- Re: Strange port 135 probing, possibly a bot Steven Alexander (Nov 18)
- Re: Strange port 135 probing, possibly a bot Bob Kehr (Nov 18)
- Re: Strange port 135 probing, possibly a bot Wayne J. Hauber (Nov 18)