[Dshield] nachi/welchia

Richard Ginski rginski at co.pinellas.fl.us
Fri Jan 9 16:09:10 GMT 2004


True. However, we were trying to be proactive on finding them (of course
after the fact), instead of waiting for detection. The port scan (TCP
707) method seems to be working so far. Thanks for everyone's help.

>>> jullrich at sans.org 1/8/2004 1:34:25 PM >>>

active Nachia infected machines are rather easy to spot. Any network
sniffer will show the ICMP traffic they generate. Even without network
sniffer: Walk to your switch/hub and see which LED blinks the fastest.
Walk to the machine and if there is no other network activity (e.g.
big
download), its likely infected.



On Thu, 2004-01-08 at 13:15, Mark Tombaugh wrote:
> On Thursday 08 January 2004 12:21 pm, Richard Ginski wrote:
> > We experienced the same thing yesterday. Does anyone know of a tool
that
> > will _remotely_ detect an infected sytem without using AV
software?
> 
> Nachi opens up tcp 707 on the infected system, so you can use nmap or
your 
> point-n-drooler port scanner of choice to find them. 
> e.g. "nmap -sS -p 707 192.168.1.0/24" etc. 
> 
> Or let the pig loose: <http://www.snort.org> 
-- 
CTO SANS Internet Storm Center               http://isc.sans.org 
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm




More information about the list mailing list