Penetration Testing mailing list archives
Re: Conficker - your opion on how to determine the source of infection on a given network
From: Alexander Bas <bas.alexander () gmail com>
Date: Wed, 26 Aug 2009 17:06:45 +0800
I agree... For example, you may want to check the date and time your AV detected the worm on a specific machine and check the username that have been used (if available) at the time the worm was detected. Thereafter, check the event viewer security logs and look for that specific date and time. Check for failures or success login audits. If you have found the logs matching the date, time and username. Check the worsktation name and the originating source address from that logs. On Fri, Aug 14, 2009 at 1:55 AM, Tiflin, Conrad (ZA - Cape Town)<ctiflin () deloitte co za> wrote:
Quick Question to all. I would like to identify the SOURCE computer where the "downadup.a" worm variant originated a given network which has been infected. Minimal thinking tells me that I should search for the computer that's running an HTTP server between ports [1024 and 10000] - the result may be the source. Anyone else have better ideas to determine the source computer on a network from which conficker originated? ./CT -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of madunix Sent: 23 February 2009 09:54 AM To: pen-test () securityfocus com Subject: Microsoft bounty for worm creator! http://news.bbc.co.uk/2/hi/technology/7887577.stm "A reward of $250,000 (£172,000) has been offered by Microsoft to find who is behind the Downadup/Conficker virus." -- THE MASTER Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") that must be accessed and read by visiting our website and viewing the webpage at the following address: http://www.deloitte.com/za/disclaimer. The Disclaimer is deemed to form part of the content of this email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access the Disclaimer, please obtain a copy thereof from us by sending an email to zaitservicedesk () deloitte co za.
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Conficker - your opion on how to determine the source of infection on a given network Tiflin, Conrad (ZA - Cape Town) (Aug 15)
- Re: Conficker - your opion on how to determine the source of infection on a given network Guy (Aug 15)
- Message not available
- Re: Conficker - your opion on how to determine the source of infection on a given network Fabien Vincent (Aug 15)
- Re: Conficker - your opion on how to determine the source of infection on a given network Juan Luis Susillo (Aug 16)
- Re: Conficker - your opion on how to determine the source of infection on a given network 51l3n73y3s (Aug 16)
- Message not available
- Re: Conficker - your opion on how to determine the source of infection on a given network 51l3n73y3s (Aug 17)
- Re: Conficker - your opion on how to determine the source of infection on a given network Fabien Vincent (Aug 15)
- [Suspected Spam]RE: Conficker - your opion on how to determine the source of infection on a given network Adrián Auguet (Aug 17)
- [Tools update] The Security-Database Watch Newsletter -- v20090815 SD List (Aug 16)
- RE: Conficker - your opion on how to determine the source of infection on a given network Banks, Jason (R.J.) (Aug 27)