[Dshield] Re: list Digest, Vol 15, Issue 17

James C. Slora Jr. Jim.Slora at phra.com
Sun Mar 14 15:46:05 GMT 2004


On Sat, 13 Mar 2004 21:01:11 +0200, Korhonen Juuso wrote

> Can somebody tell me is it a scanning tool or a computer with virus
> with a scan pattern like this:

> Scanned ports: 2745, 1025, 135, 445, 6129

> I am having scans like this originating mainly from addresses
> starting with 61. and 68.

Your probe is similar to Mockbot except it does not have a TCP 3410 probe.
Some newer Agobot variants are also somewhat similar except they usually
include TCP 80. I am seeing a pretty wide variety of multi-port scans that
include subsets, supersets, and intersections of the probes you listed.

DameWare, MyDoom, RPC, and brute-force share password probes are all wildly
popular with the skiddies - there are too many competing tools and botnet
worm functions to make any judgement based on probed ports alone. Even if
you find an exact match it will not prove the source.

Windows kindly allows multiple attack vectors on 135 and 445, and any port
can run a trojan under any OS - so there is no way to be sure what the
prober would do on ports that do respond unless you can afford the time to
run a honeypot and analyze the payloads. Even then two similar probes won't
necessarily have the same payload.





More information about the list mailing list