Re: Worm activity/port 445

[Mark Wilson <wilsodm () AUBURN EDU>]

In many cases, we have also found port 113/tcp open on these *Bot
systems so you may wish to scan for open port 113/tcp on your network.
Those windows systems may that have this port open are probably
compromised with the BOT.
http://isc.sans.org//show_comment.php?id=506

I routinely scan for port 113/tcp and use an expect script to telnet to
port 113.

If you get something like the below, the host is possibly being
controlled by a BOTnet:

spawn /bin/bash
spawn telnet 131.x.x 113
Trying 131.204.x.x...
Connected to 131.204.x.x.
Escape character is '^]'.

1374, 6667 : USERID : UNIX : nrwev



Mark Wilson
GCIA, CISSP #53153
Network Security Specialist
Auburn University
(334) 844-9347

> > > blaha () TCNJ EDU 2/4/2005 1:54:52 PM >>>
We're seeing a lot of 445 scanning and an increasing rate of infection
-
users complaining about a wide array of pop-ups, redirects and other
spyware type symptoms, slowing their systems to a crawl.

Anyone else seeing something similar?

Craig
--

    *Craig Blaha*
    /Associate Director
    Information Policy, Security and Web Development/
    The College of New Jersey
    PO Box 7718
    Ewing, NJ 08628
    www.tcnj.edu

--------------------------------------------------------------
Reminder: E-mail sent through the Internet is not secure.
Do not use e-mail to send confidential information
such as credit card numbers, changes of address, PIN
numbers, passwords, or other important information.
Your e-mail message is not private in
that it is subject to review by the College, its officers,
agents and employees.
--------------------------------------------------------------

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Attachment: Mark Wilson.vcf
Description: