Educause Security Discussion mailing list archives

Re: Conflicker/NMAP

From: "James R. Pardonek" <pardonjr () CALUMET PURDUE EDU>
Date: Tue, 31 Mar 2009 09:58:38 -0500

I too am questioning the results.  I ran nmap against a system that I know was patched and got this result.


Host script results:

|  smb-check-vulns:  

|  MS08-067: NOT RUN

|  Conficker: Likely CLEAN

|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)

Final times for host: srtt: 0 rttvar: 3750  to: 100000

I made sure I was scanning from the same network.

James R. Pardonek, CISSP
Senior Network Administrator
Network Infrastructure Management and Maintenance
Computing Technology and Information Services
Purdue University Calumet
Hammond, Indiana
 

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Pete 
Hickey
Sent: Tuesday, March 31, 2009 9:53 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Conflicker/NMAP

I've used the Python thing and I seem to have had success.  At least the machines
turned up make sense.

I've been regularly monitoring machines scanning on port 445, and have
ASSUMED that these were conficker infected.  They were infected with
something, and were cleaned.... at least in threory.

There were some repeat offenders.  Either the owner didn't know how to clean
them, or they were not patched properly, or something.

Everry machine that my python scanner picked up was one that had been
prreviously identified as infected severtal times (one lab, and about
5 other machines).

WHile I'm fairly confident that it is not returning any false positives, I
am not sure it is detecting everything, as today, after that scan, I
have found several infected-with-something machines scanning on 445.  Yes
it could be something else.  Unfortunately I don't get feedback when
machines are cleaned.

On Tue, Mar 31, 2009 at 09:21:35AM -0500, Consolvo, Corbett D wrote:

I realize many folks may not want to answer this, but has anyone had many positives/infections with the released nmap 
scan for Conflicker?  So far we seem to be coming up clean and many other folks I've talked to or emailed with have 
come up clean as well.  I'm just concerned about the possibility of false negatives.  Of course, the problem may not 
be particularly wide-spread except in the eyes of some media outlets.

Thanks,
Corbett Consolvo
Texas State University


-- 
Pete Hickey                         There are only two kinds of people who
The University of Ottawa            are really fascinating:
Ottawa, Ontario                     People who know absolutely everything,
Canada                              and people who know absolutely nothing.

Current thread:

Re: Conflicker/NMAP, (continued)
- Re: Conflicker/NMAP Jason S. Cash (Mar 31)
- Re: Conflicker/NMAP David Boyer (Mar 31)
- Re: Conflicker/NMAP Ken Connelly (Mar 31)
- Re: Conflicker/NMAP Jason Testart (Mar 31)
- Re: Conflicker/NMAP Jason Frisvold (Mar 31)
- Re: Conflicker/NMAP Mike Austin (Mar 31)
- Re: Conflicker/NMAP King, Ronald A. (Mar 31)
- Re: Conflicker/NMAP John Sawyer (Mar 31)
- Re: Conflicker/NMAP Jerry Sell (Mar 31)
- Re: Conflicker/NMAP Pete Hickey (Mar 31)
- Re: Conflicker/NMAP James R. Pardonek (Mar 31)
- Re: Conflicker/NMAP Stanclift, Michael (Mar 31)
- Re: Conflicker/NMAP Dennis Meharchand (Mar 31)
- Re: Conflicker/NMAP David Harley (Mar 31)
- Re: Conflicker/NMAP Basgen, Brian (Mar 31)
- Re: Conflicker/NMAP Stanclift, Michael (Mar 31)
- Re: Conflicker/NMAP Bradley, Stephen W. Mr. (Mar 31)
- Re: Conflicker/NMAP Harry E Flowers (flowers) (Mar 31)
- Re: Conflicker/NMAP David Gillett (Mar 31)
- Re: Conflicker/NMAP Dennis Meharchand (Mar 31)
- Re: Conflicker/NMAP Dexter Caldwell (Mar 31)

(Thread continues...)