Educause Security Discussion mailing list archives
Re: Worm activity/port 445
From: Mark Wilson <wilsodm () AUBURN EDU>
Date: Fri, 4 Feb 2005 16:24:41 -0600
In many cases, we have also found port 113/tcp open on these *Bot systems so you may wish to scan for open port 113/tcp on your network. Those windows systems may that have this port open are probably compromised with the BOT. http://isc.sans.org//show_comment.php?id=506 I routinely scan for port 113/tcp and use an expect script to telnet to port 113. If you get something like the below, the host is possibly being controlled by a BOTnet: spawn /bin/bash spawn telnet 131.x.x 113 Trying 131.204.x.x... Connected to 131.204.x.x. Escape character is '^]'. 1374, 6667 : USERID : UNIX : nrwev Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347
blaha () TCNJ EDU 2/4/2005 1:54:52 PM >>>
We're seeing a lot of 445 scanning and an increasing rate of infection - users complaining about a wide array of pop-ups, redirects and other spyware type symptoms, slowing their systems to a crawl. Anyone else seeing something similar? Craig -- *Craig Blaha* /Associate Director Information Policy, Security and Web Development/ The College of New Jersey PO Box 7718 Ewing, NJ 08628 www.tcnj.edu -------------------------------------------------------------- Reminder: E-mail sent through the Internet is not secure. Do not use e-mail to send confidential information such as credit card numbers, changes of address, PIN numbers, passwords, or other important information. Your e-mail message is not private in that it is subject to review by the College, its officers, agents and employees. -------------------------------------------------------------- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Attachment:
Mark Wilson.vcf
Description:
Current thread:
- Worm activity/port 445 Craig Blaha (Feb 04)
- <Possible follow-ups>
- Re: Worm activity/port 445 Matt Kirchhoff (Feb 04)
- Re: Worm activity/port 445 Kevin Pait (Feb 04)
- Re: Worm activity/port 445 Eric van Wiltenburg (Feb 04)
- Re: Worm activity/port 445 Gary Flynn (Feb 04)
- Re: Worm activity/port 445 Mark Wilson (Feb 04)
- Re: Worm activity/port 445 Peter Charbonneau (Feb 07)
- Re: Worm activity/port 445 Joseph Vieira (Feb 07)
- Re: Worm activity/port 445 Valdis Kletnieks (Feb 07)
- Re: Worm activity/port 445 Yantis, Jonathan Lindsey (Feb 07)
- Re: Worm activity/port 445 James Riden (Feb 07)