[Dshield] Can Nmap give false positives?
RShady at stny.rr.com
Sat Jan 11 15:47:11 GMT 2003
Here is simple batch file called IRCBOT-Detector. You could open it
with Notepad or any other text editor and modify it to check each server on
your domain, or run the file seperately on each server.
Just a thought....
Wayne Beckham wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>I'm using the Sourceforge's NmapWin to look for illicit mIRC servers
>across my company's enterprise wan. It's related to a hack called
>"TK1" that we still haven't completely figured out. But the point of
>this message is that it loads mIRC.
>At any rate, Nmap will report irc on ports 6667 on a particular Win2K
>server - however when I go to the server in question, I can't find
>any installation of mIRC (which could be hidden, I suppose) but more
>importantly I can't find anything running on the particular port.
>netstat doesn't show anything listening or connected - maybe I'm
>running that wrong? Ditto for nbtstat - only normal connections.
>What am I missing?
></FLAME SHIELDS ON>
>- - Wayne
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>-----END PGP SIGNATURE-----
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
More information about the list