[unisog] Remote Nachi/Welcia scan tool??
honeycutt at unca.edu
Sat Aug 30 20:04:29 GMT 2003
We are also monitoring ARP requests, since
during Welchia/Nachi's probe to find other unpatched
systems, it scans IP numbers sequentially.
Mike Honeycutt UNC Asheville University Computing
From: Joshua Thomas [mailto:thomasj4 at ohio.edu]
Sent: Tuesday, August 26, 2003 9:13 AM
To: Clarke Morledge
Cc: unisog at sans.org
Subject: Re: [unisog] Remote Nachi/Welcia scan tool??
-----BEGIN PGP SIGNED MESSAGE-----
We're passively monitoring ICMP scanning as described by others, but we're
also exploring options for actively detecting Nachi infected machines for
cases where the ICMP traffic may be filtered before it reaches our
monitors. In our limited sample, nearly every infected Nachi machine we
have scanned is listening on TCP/707. So far, every machine we've tracked
down with TCP ports 135, 139, 445 and 707 open has been infected.
Communication Network Services
Athens, Ohio 45701
Phone: (740) 597-2974
Fax: (740) 597-1826
security at ohio.edu
- --On Friday, August 22, 2003 5:49 PM -0400 Clarke Morledge <chmorl at wm.edu>
> Has anybody found a tool to scan for the Nachi/Welchia worm across the
> There are various Blaster remote scanning tools, but of course, they
> don't detect vulnerabilities related to Nachi since Nachi "fixes" the
> RPC DCOM vulnerability.
> Clarke Morledge
> College of William and Mary
> Information Technology - Network Engineering
> Jones Hall (Room 18)
> Williamsburg VA 23187
> chmorl at wm.edu
-----BEGIN PGP SIGNATURE-----
Version: Mulberry PGP Plugin v2.0
Comment: processed by Mulberry PGP Plugin
-----END PGP SIGNATURE-----
More information about the unisog