Re: Worm activity/port 445

[James Riden <j.riden () MASSEY AC NZ>]

"Yantis, Jonathan Lindsey" <YantisJ () COFC EDU> writes:

>    This is agobot or one of the many many botnet variants.  They use
>    practically every exploit out there to spread and there are tons of
>    different versions.  Watching IRC is the easiest way to catch them.
>    We discovered them on our network due to them launching DDoS attacks
>    from our network commanded by an IRC channel.  The two tools I use for
>    finding these bots are these commands on linux sniffing internet
>    traffic:
>
>
>    tcpdump -n -i eth1 tcp port 6667 or tcp port 6668 or tcp port 6669 or
>    port 7000
>
>    ngrep -q -d eth1 "JOIN \#" not tcp port 80 and not tcp port 25 and not
>    udp

snort with the 'bleeding' ruleset is also useful.

>    PS: because of the sheer amount of different versions, AV will not
>    always catch nor be able to clean the boxes.

Although our AV vendor quickly updated their sigs when sent a
sample. This is probably the easiest way to fix machines if you have
more than a few compromised.

cheers,
 Jamie
--
James Riden / j.riden () massey ac nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.