[unisog] sudden increase in NetBIOS probes

Peter Van Epp vanepp at sfu.ca
Tue Jun 8 23:16:16 GMT 2004

	Looks like the new version hit here over night too :-). Another 18 or
so machines gone for scanning, and probably a number more when I get time from
meetings-the-practical-alternative-to-doing-anything-useful and process the
argus logs. Here it looks like they were forming up a botnet. There is an 
undernet IRC connection followed by about 1/2 hour of scanning for port 445
from those 18 hosts of then they went away. Because of the router blocks the
scans won't make it off campus and it looks like the attacker discovered that
and stopped trying to use ours (at least so far, other scans would still work
fine until I see them). A quick look at argus indicates more machines joining 
the IRC channel than were scanning out (although that may not be correct, it 
was a quick look), but anyone joining the channel but not whacked will get 
that corrected ... The first couple of cleaned machines are reporting:

- w32.spybot.worm (running)and,
- w32.korgo.f - executable found but not running

I assume the first started the second to join the IRC channel.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the unisog mailing list