[Dshield] nachi/welchia

Johannes B. Ullrich jullrich at sans.org
Thu Jan 8 18:34:25 GMT 2004


active Nachia infected machines are rather easy to spot. Any network
sniffer will show the ICMP traffic they generate. Even without network
sniffer: Walk to your switch/hub and see which LED blinks the fastest.
Walk to the machine and if there is no other network activity (e.g. big
download), its likely infected.



On Thu, 2004-01-08 at 13:15, Mark Tombaugh wrote:
> On Thursday 08 January 2004 12:21 pm, Richard Ginski wrote:
> > We experienced the same thing yesterday. Does anyone know of a tool that
> > will _remotely_ detect an infected sytem without using AV software?
> 
> Nachi opens up tcp 707 on the infected system, so you can use nmap or your 
> point-n-drooler port scanner of choice to find them. 
> e.g. "nmap -sS -p 707 192.168.1.0/24" etc. 
> 
> Or let the pig loose: <http://www.snort.org> 
-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040108/a0804904/attachment.bin


More information about the list mailing list