Educause Security Discussion mailing list archives
Re: Strange port 135 probing, possibly a bot
From: Bob Kehr <rskehr () UCDAVIS EDU>
Date: Thu, 18 Nov 2004 13:37:18 -0800
...or you could use fport.. http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/fport.htm Christian Grewell wrote:
Also, you way want to examine which process 'owns' the port on the infected machines. I use a free tool from Sysinternals (www.sysinternals.com) called Process Explorer to examine the process on Windows machines - quite handy in cases like this. -----Original Message----- From: Peter Moody <peter () UCSC EDU> Date: Thu, 18 Nov 2004 12:45:51 To:SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Strange port 135 probing, possibly a botI haven't seen anything posted about unusual tcp/135 activity, although there was an upswing in it according to DShield (before their database went belly-up). Has anyone seen anything like this recently?Have you checked for irc flows from these hosts? If they're part of a botnet, then they're going to be connecting back to something to get the commands to scan/exploit/etc. Remember that bots are moving off 6667 so you're probably going to have to do some manual work in finding commonalities between the flows of these hosts (checking times of flow starts to would-be command and control servers against times of scan initiation). Regards, -Peter
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Strange port 135 probing, possibly a bot Christian Grewell (Nov 17)
- <Possible follow-ups>
- Strange port 135 probing, possibly a bot Jeff Kell (Nov 18)
- Re: Strange port 135 probing, possibly a bot Peter Moody (Nov 18)
- Re: Strange port 135 probing, possibly a bot Doug Pearson (Nov 18)
- Re: Strange port 135 probing, possibly a bot Steven Alexander (Nov 18)
- Re: Strange port 135 probing, possibly a bot Bob Kehr (Nov 18)
- Re: Strange port 135 probing, possibly a bot Wayne J. Hauber (Nov 18)