[unisog] Remote Nachi/Welcia scan tool??

Mike Honeycutt honeycutt at unca.edu
Sat Aug 30 20:04:29 GMT 2003



We are also monitoring ARP requests, since
during Welchia/Nachi's probe to find other unpatched
systems, it scans IP numbers sequentially.

Mike Honeycutt  UNC Asheville University Computing

=============================== 
-----Original Message-----
From: Joshua Thomas [mailto:thomasj4 at ohio.edu] 
Sent: Tuesday, August 26, 2003 9:13 AM
To: Clarke Morledge
Cc: unisog at sans.org
Subject: Re: [unisog] Remote Nachi/Welcia scan tool??


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We're passively monitoring ICMP scanning as described by others, but we're 
also exploring options for actively detecting Nachi infected machines for 
cases where the ICMP traffic may be filtered before it reaches our 
monitors.  In our limited sample, nearly every infected Nachi machine we 
have scanned is listening on TCP/707.  So far, every machine we've tracked 
down with TCP ports 135, 139, 445 and 707 open has been infected.

Thank you,
Joshua Thomas
Security Analyst
Communication Network Services
Ohio University
Athens, Ohio 45701
Phone: (740) 597-2974
Fax: (740) 597-1826
security at ohio.edu

- --On Friday, August 22, 2003 5:49 PM -0400 Clarke Morledge <chmorl at wm.edu>

wrote:

> Has anybody found a tool to scan for the Nachi/Welchia worm across the 
> network?
>
> There are various Blaster remote scanning tools, but of course, they 
> don't detect vulnerabilities related to Nachi since Nachi "fixes" the 
> RPC DCOM vulnerability.
>
> Clarke Morledge
> College of William and Mary
> Information Technology - Network Engineering
> Jones Hall (Room 18)
> Williamsburg VA 23187
> 757-221-1536
> chmorl at wm.edu
>
>




-----BEGIN PGP SIGNATURE-----
Version: Mulberry PGP Plugin v2.0
Comment: processed by Mulberry PGP Plugin

iQA/AwUBP0tc0FB2SET9UlmpEQKxEACg8q5wrqIrvapugIwHjqD1Lvh9w28AoPyR
JTKz3+kM47gthau5mjFWOQ7m
=PLG2
-----END PGP SIGNATURE-----



More information about the unisog mailing list