Re: track worm virus on NT/W2K machines

[oudot <oudot () rstack org>]

Valdis.Kletnieks () vt edu a écrit:
> On Thu, 01 Jan 1998 00:12:12 +0800, Mohd Adam Baharun <adamxx7 () streamyx com>  said:
>
>
> > I would like some suggestion on what software to use / be good if its free, 
> > so that I can install on one of my NT or W2K servers to track down worms 
> > like the current WELCHIA, BLASTER and DUMARU. My organization networks are 
> > currently badly hit by these worms. Please help.
>
>
> For Welchia/Nachi, all you need to do is look for ICMP PING traffic.  Even
> 'tcpdump -i ethX icmp' should be enough to get you started.
>
> Blaster you'll probably need Snort or similar, because you can't just look
> for port 135 traffic, you need a more detailed signature.
>
> I *think* both tcpdump and Snort are available for Windows platforms, but I
> would suggest that you get yourself a *NON* Windows box for this sort of thing,
> for a *VERY* good reason:
>
> If you're trying to examine an unknown meltdown that's affecting Windows boxes,
> the *LAST* thing you want is to hook up a Windows-based monitor and have it
> get compromised as well, probably before you know it.....

As i proposed in a previous email (look at the next url), honeyd the 
free software honeypot of Niels Provos, can easily be used to fight 
against worms or to detect such evil activities (monitor ICMP echo 
requests, TCP port 135 requests, TCP port 4444 requests...).

Read this if you need help : http://www.securityfocus.com/archive/119/333927

--
oudot laurent
[team rstack]
http://www.rstack.org