[unisog] NMAP signature of Sasser

Anderson Johnston andy at umbc.edu
Tue May 4 18:02:37 GMT 2004


I ran Nessus plugin 12219 to find Sasser-fied machines, now I'm running
nmap on the systems showing positive.  If anyone wants to try finding
Sasser using scans on port 5554, the signature I'm getting back from
that port is:

==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5554-TCP:V=3.50%D=5/4%Time=4097D66E%P=i686-pc-linux-gnu%r(NULL,7,"2
SF:20\x20OK\n")%r(GenericLines,E,"220\x20OK\n226\x20OK\n")%r(GetRequest,E,
SF:"220\x20OK\n226\x20OK\n")%r(HTTPOptions,E,"220\x20OK\n226\x20OK\n")%r(R
SF:TSPRequest,E,"220\x20OK\n226\x20OK\n")%r(RPCCheck,E,"220\x20OK\n226\x20
SF:OK\n")%r(DNSVersionBindReq,E,"220\x20OK\n226\x20OK\n")%r(DNSStatusReque
SF:st,E,"220\x20OK\n226\x20OK\n")%r(Help,E,"220\x20OK\n226\x20OK\n")%r(SSL
SF:SessionReq,E,"220\x20OK\n226\x20OK\n")%r(SMBProgNeg,E,"220\x20OK\n226\x
SF:20OK\n")%r(X11Probe,E,"220\x20OK\n226\x20OK\n")%r(LPDString,E,"220\x20O
SF:K\n226\x20OK\n")%r(LDAPBindReq,E,"220\x20OK\n226\x20OK\n")%r(LANDesk-RC
SF:,E,"220\x20OK\n226\x20OK\n")%r(TerminalServer,E,"220\x20OK\n226\x20OK\n
SF:")%r(NCP,E,"220\x20OK\n226\x20OK\n")%r(NotesRPC,E,"220\x20OK\n226\x20OK
SF:\n")%r(WMSRequest,E,"220\x20OK\n226\x20OK\n")%r(oracle-tns,E,"220\x20OK
SF:\n226\x20OK\n");


I don't know which variants are on which systems, yet.  I'll try to
profile these sigs more precisely when we get our hands on some of these
machines.

							- Andy

------------------------------------------------------------------------------
** Andy Johnston (andy at umbc.edu)          *                                 **
** Manager of IT Security                 * PGP key:(afj2002) 4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
------------------------------------------------------------------------------



More information about the unisog mailing list