Security Incidents mailing list archives
RE: Subseven Scans
From: H C <keydet89 () yahoo com>
Date: Tue, 13 Aug 2002 10:46:49 -0700 (PDT)
A recon probe against the attacking hosts that were up, indicated that they are all windows hosts, all with port 139 open to the public. Some hosts did show signs of being compromised and had virus' present.
Interesting. How was this determined?
It was determined that all attacking hosts are unknowingly being used to attack other systems.
Really? How so? Were you able to conduct a virus scan of the attacking hosts and determine that the Trojan or controlling software was actually being used? After all, one cannot conclusively determine, even on an infected system, that the user of the attacking host was unaware that it was infected, and had conducted a port scan. After all, nmap 3.0 was recently released...and yes, it does run on Win32 (precompiled binary available). The above statement is simply too emphatic for me, without more information. At best, one can say that it was determined with a relative degree of certainty that the attacking host was unknowingly used to attack other systems. This goes back to what I mentioned earlier to Rob...until someone posts some speculation (including non-reproducable verification steps...or not) and in the end, the community really hasn't benefited overall. I'm glad to see that someone took a look at the hosts...Rob sent me some info about the majority being from Korea...but I think that it would benefit the community as a whole to know how those steps were conducted...how was it determined that the systems were infected, and how was it determined that the infection, the malware installed, was actually what was doing the scanning, and not a port scanner? __________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re[2]: Subseven Scans, (continued)
- Re[2]: Subseven Scans Preston Kutzner (Aug 12)
- Re: Subseven Scans H C (Aug 12)
- RE: Subseven Scans Rob Keown (Aug 12)
- Re: Subseven Scans Gene Yoo (Aug 12)
- RE: Subseven Scans Rob Keown (Aug 12)
- RE: Subseven Scans H C (Aug 12)
- FW: Subseven Scans Rob Keown (Aug 13)
- Odd scans and stuff bouncing off firewalls Nexus (Aug 13)
- Re: Odd scans and stuff bouncing off firewalls Greg A. Woods (Aug 13)
- Odd scans and stuff bouncing off firewalls Nexus (Aug 13)
- RE: Subseven Scans Robert Buckley (Aug 13)
- RE: Subseven Scans H C (Aug 13)
- RE: Subseven Scans Robert Buckley (Aug 14)
- RE: Subseven Scans H C (Aug 14)
- RE: Subseven Scans Robert Buckley (Aug 15)