[Dshield] Port 135

KickerRick kickerrick at kickerrick.servebeer.com
Sat Oct 19 06:19:41 GMT 2002


    I've been doing this since Code Red came out. A program called SendAMess
2.0 sits in the tray with a text message giving links to removing nimda and
code red infections. I go through my IDS autoblock and firewall logs,
unblock and message the infected computer. Rarely do the infected computers
return, but occasionally when they do it's usually because someone either is
impatiently hitting OK to get rid of the pop up, or they just don't care I
figure.
    Now I get "unethical", and send the infected computer a shutdown
message, which pops a message up whic gets the point across that their
computer is infected and needs maintenance; "VIRUS/TROJAN INFECTION
ALERT-SHUTTING DOWN!". Their computer then initiates a normal shut down,
including asking them if they want to save any open text files.
    I know the latter will rankle a few, but nothing else seems to work.
This does. There are a few instances where neither a net send or shutdown
will work, and I'm not sure, but I believe this is because the IP of the
infected coumpter has changed, which also brings up the point that a few
computers will erroneously receive the message because I usually send the
messages out at the end of the day, so some earlier IPs may have changed.
These I send notices to the ISP telling them that the possibly infected
computer didn't respond to net send warnings, and would they please forward
the warning to the user. Of course these are auto-acked and ignored I'm
sure. Maybe not.


----- Original Message -----
From: "Jon R. Kibler" <Jon.Kibler at aset.com>
To: <list at dshield.org>
Sent: Wednesday, October 16, 2002 7:38 AM
Subject: Re: [Dshield] Port 135


> You know, a public domain version of this tool, used to send text-only
messages, could be quite useful!
>
> Q: What is the biggest problem we have dealing with infected systems?
> A: Contacting the actual admin of the system.
>
> Thus, my idea:
> Almost any system insecure enough to be infected by Nimda, SQLSnake, etc.
is probably insecure enough to have Port 135 open. Therefore, we could take
a public domain version of the spam tool described in this article,
integrate it into our IDSes, and when we get hit by an infected system,
blast back to the system console a Pop-Up Message along the lines of "Hey
dummy, your system is infected by [insert parasite name]. How about doing a
better job of securing your systems?". At least would would then know that
someone knows about the infected system!
>
> Just a thought... a little perverse thought maybe, but a thought just the
same.
>
> Jon Kibler
> A.S.E.T., Inc.
> Charleston, SC  USA
>
> Roger wrote:
> >
> > Getting  suspicious hits on port 135?  This may explain it.  A new breed
> > of spam slam.
> >
> > http://www.wired.com/news/technology/0,1282,55795,00.html
> >
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>





More information about the list mailing list