rginski at co.pinellas.fl.us
Fri Jan 9 16:09:10 GMT 2004
True. However, we were trying to be proactive on finding them (of course
after the fact), instead of waiting for detection. The port scan (TCP
707) method seems to be working so far. Thanks for everyone's help.
>>> jullrich at sans.org 1/8/2004 1:34:25 PM >>>
active Nachia infected machines are rather easy to spot. Any network
sniffer will show the ICMP traffic they generate. Even without network
sniffer: Walk to your switch/hub and see which LED blinks the fastest.
Walk to the machine and if there is no other network activity (e.g.
download), its likely infected.
On Thu, 2004-01-08 at 13:15, Mark Tombaugh wrote:
> On Thursday 08 January 2004 12:21 pm, Richard Ginski wrote:
> > We experienced the same thing yesterday. Does anyone know of a tool
> > will _remotely_ detect an infected sytem without using AV
> Nachi opens up tcp 707 on the infected system, so you can use nmap or
> point-n-drooler port scanner of choice to find them.
> e.g. "nmap -sS -p 707 192.168.1.0/24" etc.
> Or let the pig loose: <http://www.snort.org>
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 837 2807 jullrich at sans.org
contact details: http://johannes.homepc.org/contact.htm
More information about the list