[Dshield] nachi/welchia

Jeff Kell jeff-kell at utc.edu
Thu Jan 8 17:47:08 GMT 2004

Richard Ginski wrote:

> We experienced the same thing yesterday. Does anyone know of a tool that
> will _remotely_ detect an infected sytem without using AV software?
> (Yes, they supposedly already have AV software installed on them) We
> have tools to detect the unpatched systems....vulnerable to
> nachi/welchia infection.  However, we need to find the systems that are
> _actually_ infected...whether they have been patched or not. TIA

Nachi leaves port 707 open.  Try this on for size:

> nmap -sS -p707 -oG - AAA.BBB.0.0/16 | grep 'Ports: 707/open/tcp' \
>                                     | cut -d' ' -f2 \
>                                     | sort -t. -k3,3n -k4,4n \
>                                     | mail -s "Nachi suspects" foo at bar.com


More information about the list mailing list