[unisog] Remote Nachi/Welcia scan tool??

Joshua Thomas thomasj4 at ohio.edu
Tue Aug 26 13:12:46 GMT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We're passively monitoring ICMP scanning as described by others, but we're 
also exploring options for actively detecting Nachi infected machines for 
cases where the ICMP traffic may be filtered before it reaches our 
monitors.  In our limited sample, nearly every infected Nachi machine we 
have scanned is listening on TCP/707.  So far, every machine we've tracked 
down with TCP ports 135, 139, 445 and 707 open has been infected.

Thank you,
Joshua Thomas
Security Analyst
Communication Network Services
Ohio University
Athens, Ohio 45701
Phone: (740) 597-2974
Fax: (740) 597-1826
security at ohio.edu

- --On Friday, August 22, 2003 5:49 PM -0400 Clarke Morledge <chmorl at wm.edu> 
wrote:

> Has anybody found a tool to scan for the Nachi/Welchia worm across the
> network?
>
> There are various Blaster remote scanning tools, but of course, they don't
> detect vulnerabilities related to Nachi since Nachi "fixes" the
> RPC DCOM vulnerability.
>
> Clarke Morledge
> College of William and Mary
> Information Technology - Network Engineering
> Jones Hall (Room 18)
> Williamsburg VA 23187
> 757-221-1536
> chmorl at wm.edu
>
>




-----BEGIN PGP SIGNATURE-----
Version: Mulberry PGP Plugin v2.0
Comment: processed by Mulberry PGP Plugin

iQA/AwUBP0tc0FB2SET9UlmpEQKxEACg8q5wrqIrvapugIwHjqD1Lvh9w28AoPyR
JTKz3+kM47gthau5mjFWOQ7m
=PLG2
-----END PGP SIGNATURE-----



More information about the unisog mailing list