[Dshield] nachi/welchia

Richard Ginski rginski at co.pinellas.fl.us
Fri Jan 9 16:09:10 GMT 2004

True. However, we were trying to be proactive on finding them (of course
after the fact), instead of waiting for detection. The port scan (TCP
707) method seems to be working so far. Thanks for everyone's help.

>>> jullrich at sans.org 1/8/2004 1:34:25 PM >>>

active Nachia infected machines are rather easy to spot. Any network
sniffer will show the ICMP traffic they generate. Even without network
sniffer: Walk to your switch/hub and see which LED blinks the fastest.
Walk to the machine and if there is no other network activity (e.g.
download), its likely infected.

On Thu, 2004-01-08 at 13:15, Mark Tombaugh wrote:
> On Thursday 08 January 2004 12:21 pm, Richard Ginski wrote:
> > We experienced the same thing yesterday. Does anyone know of a tool
> > will _remotely_ detect an infected sytem without using AV
> Nachi opens up tcp 707 on the infected system, so you can use nmap or
> point-n-drooler port scanner of choice to find them. 
> e.g. "nmap -sS -p 707" etc. 
> Or let the pig loose: <http://www.snort.org> 
CTO SANS Internet Storm Center               http://isc.sans.org 
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm

More information about the list mailing list