[unisog] IRC bot outbreaks

West, Ken Ken.West at orst.edu
Wed Jul 31 19:16:30 GMT 2002


You can also use the Microsoft baseline security analysis tool for this
purpose.

Ken

-----Original Message-----
From: Reg Quinton [mailto:reggers at ist.uwaterloo.ca] 
Sent: Wednesday, July 31, 2002 11:21 AM
To: Anderson Johnston
Cc: unisog at sans.org
Subject: Re: [unisog] IRC bot outbreaks


> Q: What tools are you using to scan for blank administrative 
> passwords?

I think I've shared this before ....

What I do is scan for port 139 (using nmap) and trying to run a "dir" of
the c$ share as user administrator with a "" password (using smbclient).
I do that every day at about 13:00 from cron. What we do you can have:

http://ist.uwaterloo.ca/~reggers/drafts/AdminScan
    I run from cron daily.
http://ist.uwaterloo.ca/~reggers/drafts/PopUpMsg
    A tool to put a popup message on the user's screen.

These are simple shell scripts which use Samba for the nitty gritty,
nmap to identify machines. You'll need to carve a bit for your search
paths, etc. if you want to use them.

If you pick up the code you'll see I use a "contact" tool in the script
to identify system contacts so I can mail them a note -- that's too much
of a localism to share.



More information about the unisog mailing list