IDS mailing list archives
RE: Tool to remotely detect MBlaster infected machines?
From: "Graham, Robert (ISS Atlanta)" <rgraham () iss net>
Date: Fri, 15 Aug 2003 17:59:24 -0400
The original question asked about looking for infected machines, not vulnerable machines. Unfortunately, you can't scan for infected machines, because they take down port 135. You could theoretically scan for port 69 or 4444 open on infected machines, those are only open for a short period of time. However, for scanning for the vulnerability, ISS shipped a freeware tool: http://www.iss.net/support/product_utilities/ms03-026rpc.php It quickly scans a class B. -----Original Message----- From: schwing () tenablesecurity com [mailto:schwing () tenablesecurity com] Sent: Friday, August 15, 2003 12:24 PM To: focus-ids () securityfocus com Subject: Re: Tool to remotely detect MBlaster infected machines? In-Reply-To: <1060959531.6927.8.camel () icehouse is gatech edu> You can also use Nessus plugin Check 11818 The remote host is infected by msblast.exe If you need to scan more then one class C at a time you could use the Tenable Lightning Console and Proxy to Scan multiple class B's at the same time. Stephen Schwing Tenable Network Security www.tenablesecurity.com
It is a good tool, but has the drawback of only doing 1 class c at a time. On Fri, 2003-08-15 at 10:50, Ostberg, Alex wrote:We have had a good experience thus far with the eEye tool "RetinaRPCDCOM.exe" which is free. www.eeye.com Thanks, Alex O. Ostberg Data Security Analyst / Network Security Specialist Information Technology Security Office - Information Technology Services Division - Department of Administration - State of Montana Office: 406.444.4557 Fax: 406.444.2701 Email: aostberg () state mt us -----Original Message----- From: brad [mailto:nelson.brad () comcast net] Sent: Wednesday, August 13, 2003 6:43 PM To: focus-ids () securityfocus com Subject: Tool to remotely detect MBlaster infected machines? Does anyone know of a tool to remotely detect mblast infected
machines? We
are checking machines with increased flows on 135 and traffic on 69
udp. Is
there a better way? Thanks, Brad ------------------------------------------------------------------------
---
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm ------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm ------------------------------------------------------------------------
---
--------------------------------------------------------------------------
-
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm --------------------------------------------------------------------------
-
--------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm --------------------------------------------------------------------------- --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm ---------------------------------------------------------------------------
Current thread:
- Tool to remotely detect MBlaster infected machines? brad (Aug 15)
- RE: Tool to remotely detect MBlaster infected machines? Will Schmied (Aug 15)
- <Possible follow-ups>
- RE: Tool to remotely detect MBlaster infected machines? Ostberg, Alex (Aug 15)
- RE: Tool to remotely detect MBlaster infected machines? david maynor (Aug 15)
- Re: Tool to remotely detect MBlaster infected machines? schwing (Aug 15)
- RE: Tool to remotely detect MBlaster infected machines? bo . berlas (Aug 19)
- RE: Tool to remotely detect MBlaster infected machines? Graham, Robert (ISS Atlanta) (Aug 19)