Security Incidents mailing list archives

RE: Subseven Scans

From: H C <keydet89 () yahoo com>
Date: Tue, 13 Aug 2002 10:46:49 -0700 (PDT)

A recon probe against the attacking hosts that were
up, indicated that they
are all windows hosts, all with port 139 open to the
public. Some hosts did
show signs of being compromised and had virus'
present.


Interesting.  How was this determined?

It was determined
that all attacking hosts are unknowingly being used
to attack other systems.


Really?  How so?  Were you able to conduct a virus
scan of the attacking hosts and determine that the
Trojan or controlling software was actually being
used?  After all, one cannot conclusively determine,
even on an infected system, that the user of the
attacking host was unaware that it was infected, and
had conducted a port scan.  After all, nmap 3.0 was
recently released...and yes, it does run on Win32
(precompiled binary available).  

The above statement is simply too emphatic for me,
without more information.  At best, one can say that
it was determined with a relative degree of certainty
that the attacking host was unknowingly used to attack
other systems.

This goes back to what I mentioned earlier to
Rob...until someone posts some speculation (including
non-reproducable verification steps...or not) and in
the end, the community really hasn't benefited
overall.  

I'm glad to see that someone took a look at the
hosts...Rob sent me some info about the majority being
from Korea...but I think that it would benefit the
community as a whole to know how those steps were
conducted...how was it determined that the systems
were infected, and how was it determined that the
infection, the malware installed, was actually what
was doing the scanning, and not a port scanner?
 


__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re[2]: Subseven Scans, (continued)
- - Re[2]: Subseven Scans Preston Kutzner (Aug 12)
- Re: Subseven Scans H C (Aug 12)
- RE: Subseven Scans Rob Keown (Aug 12)
  - Re: Subseven Scans Gene Yoo (Aug 12)
- RE: Subseven Scans Rob Keown (Aug 12)
  - RE: Subseven Scans H C (Aug 12)
- FW: Subseven Scans Rob Keown (Aug 13)
  - Odd scans and stuff bouncing off firewalls Nexus (Aug 13)
    - Re: Odd scans and stuff bouncing off firewalls Greg A. Woods (Aug 13)
- RE: Subseven Scans Robert Buckley (Aug 13)
  - RE: Subseven Scans H C (Aug 13)
- RE: Subseven Scans Robert Buckley (Aug 14)
  - RE: Subseven Scans H C (Aug 14)
- RE: Subseven Scans Robert Buckley (Aug 15)