Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange port 135 probing, possibly a bot

From: Bob Kehr <rskehr () UCDAVIS EDU>
Date: Thu, 18 Nov 2004 13:37:18 -0800
...or you could use fport..

http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/fport.htm


Christian Grewell wrote:

Also, you way want to examine which process 'owns' the port on the infected machines.

I use a free tool from Sysinternals (www.sysinternals.com) called Process Explorer to examine the process on Windows 
machines - quite handy in cases like this.
-----Original Message-----
From: Peter Moody <peter () UCSC EDU>
Date: Thu, 18 Nov 2004 12:45:51
To:SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Strange port 135 probing, possibly a bot




I haven't seen anything posted about unusual tcp/135 activity, although
there was an upswing in it according to DShield (before their database
went belly-up).  Has anyone seen anything like this recently?



Have you checked for irc flows from these hosts?  If they're part of a
botnet, then they're going to be connecting back to something to get the
commands to scan/exploit/etc.  Remember that bots are moving off 6667 so
you're probably going to have to do some manual work in finding
commonalities between the flows of these hosts (checking times of flow
starts to would-be command and control servers against times of scan
initiation).

Regards,
-Peter



**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.
Previous By Date Next
Previous By Thread Next

Current thread: