Honeypots mailing list archives

Re: track worm virus on NT/W2K machines

From: oudot <oudot () rstack org>
Date: Fri, 22 Aug 2003 18:25:30 +0200



Luis Miguel Silva a écrit:

Somebody posted to this mailing list with a solution about using honeyd to help you patch your network.


Yeah, it's me.
Look at http://lists.insecure.org/lists/focus-ids/2003/Aug/0089.html

What he did basicly was:
a) listen for traffic on port 135.
b) when contacted, connect to the source host on port 4444 (since the "exploit"/worm opens this port)


the idea is almost that but not exactly

the port 4444 is closed on the remote infected host

but, if you are fast enough (automatic), and if the remote infected hostis not dying because of a RPC DCOM crash, you can abuse this host on itsport 135, by using the same vulnerability that MSBlaster uses (!) andget a shell (don't take 4444 as a remote shell port, that may not be ok)

c) execute some commands...(like downloading the patch and executing it)!


yeah, but it's not possible if the remote host is not one of yours (laws)

Look for this mailing list for his original post!

Regards,
+-----------------------------------------
| Luis Miguel Silva
| Network Administrator@ ISPGaya.pt

| Rua Antonio Rodrigues da Rocha, 291/341| Sto. Ovidio . 4400-025 V. N. de Gaia

| Portugal
| T: +351 22 3745730/3/5  F: +351 22 3745738
| G: +351 93 6371253      E: lms () ispgaya pt
| H: http://lms.ispgaya.pt/

+-----------------------------------------

-----Mensagem original-----
De: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu]
Enviada: sexta-feira, 22 de Agosto de 2003 14:43
Para: Mohd Adam Baharun
Cc: honeypots () securityfocus com

Assunto: Re: track worm virus on NT/W2K machines


On Thu, 01 Jan 1998 00:12:12 +0800, Mohd Adam Baharun <adamxx7 () streamyx com>  said:

I would like some suggestion on what software to use / be good if its free,so that I can install on one of my NT or W2K servers to track down wormslike the current WELCHIA, BLASTER and DUMARU. My organization networks arecurrently badly hit by these worms. Please help.



For Welchia/Nachi, all you need to do is look for ICMP PING traffic.  Even
'tcpdump -i ethX icmp' should be enough to get you started.

Blaster you'll probably need Snort or similar, because you can't just look
for port 135 traffic, you need a more detailed signature.

I *think* both tcpdump and Snort are available for Windows platforms, but I
would suggest that you get yourself a *NON* Windows box for this sort of thing,
for a *VERY* good reason:

If you're trying to examine an unknown meltdown that's affecting Windows boxes,
the *LAST* thing you want is to hook up a Windows-based monitor and have it
get compromised as well, probably before you know it.....

Software diversity is a Good Thing.

Current thread:

track worm virus on NT/W2K machines Mohd Adam Baharun (Aug 22)
- Re: track worm virus on NT/W2K machines Valdis . Kletnieks (Aug 22)
  - RE: track worm virus on NT/W2K machines Luis Miguel Silva (Aug 22)
    - Re: track worm virus on NT/W2K machines oudot (Aug 22)
  - Re: track worm virus on NT/W2K machines oudot (Aug 23)
- <Possible follow-ups>
- Re: track worm virus on NT/W2K machines Andrew . Patrick (Aug 22)
  - Re: track worm virus on NT/W2K machines Jack Whitsitt (jofny) (Aug 22)
- Re: track worm virus on NT/W2K machines Steve Alameda (Aug 22)
  - MODERATOR: Re: track worm virus on NT/W2K machines Lance Spitzner (Aug 22)