Educause Security Discussion mailing list archives

Re: Strange port 135 probing, possibly a bot

From: Steven Alexander <alexander.s () MCCD EDU>
Date: Thu, 18 Nov 2004 13:26:33 -0800

The SysInternals'  Process Explorer will tell you everything that is
running on the system and what files, registry keys and DLLs each
process is using:
 
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
 
SysInternals' TCP View will tell you which processes are connected to
each TCP/UDP endpoint on the system:
 
http://www.sysinternals.com/ntw2k/source/tcpview.shtml
 
I hope this helps.
 
Steven Alexander
Programmer Analyst
Merced College

        -----Original Message-----
        From: Jeff Kell [mailto:jeff-kell () UTC EDU] 
        Sent: Thursday, November 18, 2004 12:36 PM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: [SECURITY] Strange port 135 probing, possibly a bot
        
        

        For the past few days we have had a dozen or two machines pop up
with 
        some as-yet-unidentified virus/worm/bot that appears to try to
connect 
        to random addresses in the same /8 subnet as the host on
tcp/135.  I 
        have seen no other traffic from these hosts.  I can't get a
packet 
        capture of any meaningful payload because the outgoing SYNs are
being 
        blocked by our access lists at the border. 

        nmaps are not terribly consistent other than all apparently
sharing 
        tcp/113 being open.  Symantec AV with latest definitions doesn't
find 
        anything, nor does SpyBot, HijackThis, Stinger, or a number of
other 
        tools we have tried.  Our field crews have come up empty thus
far and 
        I'm waiting on an empty machine for forensics.  The startup
registry 
        entries didn't have any glowing sore thumbs, so the beast is
well 
        hidden, or installs as a wrapper to a legitimate service. 

        I haven't seen anything posted about unusual tcp/135 activity,
although 
        there was an upswing in it according to DShield (before their
database 
        went belly-up).  Has anyone seen anything like this recently? 

        Jeff Kell 
        System/Network Security 
        University of Tennessee at Chattanooga 

        ********** 
        Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/groups/.

        
______________________________________________________________________ 
        This email has been scanned by the MessageLabs Email Security
System. 
        For more information please visit
http://www.messagelabs.com/email 
        
______________________________________________________________________ 


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Re: Strange port 135 probing, possibly a bot Christian Grewell (Nov 17)
- <Possible follow-ups>
- Strange port 135 probing, possibly a bot Jeff Kell (Nov 18)
- Re: Strange port 135 probing, possibly a bot Peter Moody (Nov 18)
- Re: Strange port 135 probing, possibly a bot Doug Pearson (Nov 18)
- Re: Strange port 135 probing, possibly a bot Steven Alexander (Nov 18)
- Re: Strange port 135 probing, possibly a bot Bob Kehr (Nov 18)
- Re: Strange port 135 probing, possibly a bot Wayne J. Hauber (Nov 18)