IDS mailing list archives

RE: Tool to remotely detect MBlaster infected machines?

From: "Graham, Robert (ISS Atlanta)" <rgraham () iss net>
Date: Fri, 15 Aug 2003 17:59:24 -0400

The original question asked about looking for infected machines, not vulnerable machines.

Unfortunately, you can't scan for infected machines, because they take down port 135. You could theoretically scan for 
port 69 or 4444 open on infected machines, those are only open for a short period of time.

However, for scanning for the vulnerability, ISS shipped a freeware tool:
http://www.iss.net/support/product_utilities/ms03-026rpc.php
It quickly scans a class B.


-----Original Message-----
From: schwing () tenablesecurity com [mailto:schwing () tenablesecurity com]
Sent: Friday, August 15, 2003 12:24 PM
To: focus-ids () securityfocus com
Subject: Re: Tool to remotely detect MBlaster infected machines?


In-Reply-To: <1060959531.6927.8.camel () icehouse is gatech edu>

You can also use Nessus plugin Check 11818 The remote host is infected by 
msblast.exe

If you need to scan more then one class C at a time you could use the 
Tenable Lightning Console and Proxy to Scan multiple class B's at the same 
time.

Stephen Schwing
Tenable Network Security
www.tenablesecurity.com


It is a good tool, but has the drawback of only doing 1 class c at a
time.

On Fri, 2003-08-15 at 10:50, Ostberg, Alex wrote:

We have had a good experience thus far with the eEye tool
"RetinaRPCDCOM.exe" which is free.

www.eeye.com


Thanks, 
Alex O. Ostberg
Data Security Analyst / Network Security Specialist
Information Technology Security Office - Information Technology Services
Division - 
Department of Administration - State of Montana
Office:  406.444.4557
Fax:        406.444.2701
Email:     aostberg () state mt us



-----Original Message-----
From: brad [mailto:nelson.brad () comcast net]
Sent: Wednesday, August 13, 2003 6:43 PM
To: focus-ids () securityfocus com
Subject: Tool to remotely detect MBlaster infected machines?


Does anyone know of a tool to remotely detect mblast infected

machines?  We

are checking machines with increased flows on 135 and traffic on 69

udp.  Is

there a better way?

Thanks,
Brad



------------------------------------------------------------------------

---

Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
------------------------------------------------------------------------

---


------------------------------------------------------------------------

---

Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
------------------------------------------------------------------------

---



--------------------------------------------------------------------------

Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
--------------------------------------------------------------------------


---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------

Current thread:

Tool to remotely detect MBlaster infected machines? brad (Aug 15)
- RE: Tool to remotely detect MBlaster infected machines? Will Schmied (Aug 15)
- <Possible follow-ups>
- RE: Tool to remotely detect MBlaster infected machines? Ostberg, Alex (Aug 15)
  - RE: Tool to remotely detect MBlaster infected machines? david maynor (Aug 15)
- Re: Tool to remotely detect MBlaster infected machines? schwing (Aug 15)
- RE: Tool to remotely detect MBlaster infected machines? bo . berlas (Aug 19)
- RE: Tool to remotely detect MBlaster infected machines? Graham, Robert (ISS Atlanta) (Aug 19)