[unisog] Remote Nachi/Welcia scan tool??

sbernard at gmu.edu sbernard at gmu.edu
Sun Aug 31 17:41:04 GMT 2003


I've cross-checked the three most common methods of finding hosts
compromised with Welchia/Nachi, ICMP monitoring w/ size and content
filters, massive, sequential ARP request monitoring, and scanning for port
707 open and a combination of two or more ports 135/139/445 being open. 
So far, out of 3,000+ hosts, I have found a nearly 100% correlation
between hosts found using passive monitoring and active scanning.  There
were several hosts which were flagged by scanning, and were compromised,
that weren't sending indicative traffic on the network.  I will be taking
a closer look at these hosts which weren't spewing ICMP and ARP requests
but, did have the aforementioned ports open.  My hunch is that these may
be machines that have port 135 closed for some reason, and therefore
aren't attempting to propagate.  This 139/445 up, 135 down condition was
brought up by Phil Rodrigues @ UConn in a post to this listserv titled
"Port 135 closed may be vulnerable".


Regards,

Steve Bernard
Sr. Systems
Engineer, NET
George Mason University
Fairfax, Virginia



----- Original Message -----
From: Mike Honeycutt <honeycutt at unca.edu>
Date: Saturday, August 30, 2003 4:04 pm
Subject: RE: [unisog] Remote Nachi/Welcia scan tool??

> 
> 
> We are also monitoring ARP requests, since
> during Welchia/Nachi's probe to find other unpatched
> systems, it scans IP numbers sequentially.
> 
> Mike Honeycutt  UNC Asheville University Computing
> 
> =============================== 
> -----Original Message-----
> From: Joshua Thomas [mailto:thomasj4 at ohio.edu] 
> Sent: Tuesday, August 26, 2003 9:13 AM
> To: Clarke Morledge
> Cc: unisog at sans.org
> Subject: Re: [unisog] Remote Nachi/Welcia scan tool??
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> We're passively monitoring ICMP scanning as described by others, 
> but we're 
> also exploring options for actively detecting Nachi infected 
> machines for 
> cases where the ICMP traffic may be filtered before it reaches our 
> monitors.  In our limited sample, nearly every infected Nachi 
> machine we 
> have scanned is listening on TCP/707.  So far, every machine we've 
> tracked 
> down with TCP ports 135, 139, 445 and 707 open has been infected.
> 
> Thank you,
> Joshua Thomas
> Security Analyst
> Communication Network Services
> Ohio University
> Athens, Ohio 45701
> Phone: (740) 597-2974
> Fax: (740) 597-1826
> security at ohio.edu
> 
> - --On Friday, August 22, 2003 5:49 PM -0400 Clarke Morledge 
> <chmorl at wm.edu>
> wrote:
> 
> > Has anybody found a tool to scan for the Nachi/Welchia worm 
> across the 
> > network?
> >
> > There are various Blaster remote scanning tools, but of course, 
> they 
> > don't detect vulnerabilities related to Nachi since Nachi 
> "fixes" the 
> > RPC DCOM vulnerability.
> >
> > Clarke Morledge
> > College of William and Mary
> > Information Technology - Network Engineering
> > Jones Hall (Room 18)
> > Williamsburg VA 23187
> > 757-221-1536
> > chmorl at wm.edu
> >
> >
> 
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: Mulberry PGP Plugin v2.0
> Comment: processed by Mulberry PGP Plugin
> 
> iQA/AwUBP0tc0FB2SET9UlmpEQKxEACg8q5wrqIrvapugIwHjqD1Lvh9w28AoPyR
> JTKz3+kM47gthau5mjFWOQ7m
> =PLG2
> -----END PGP SIGNATURE-----
> 
> 
> 



More information about the unisog mailing list