|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re: Help - a possible bot
Date: Fri Nov 22 2002 - 09:01:36 EST
Hi Emeric
Analyzing the PC, it does not seem it's infected by Opaserv. There is no suspicious file with *scr* anywhere.
Still, like you said, wht's worrying is that the PC is responding to the port probes. Apparently traffic to port 137 is blocked - so maybe it's penetrating from another port, of from an allowed program; but the PC is responding, which means SOMETHING inside is listening, then responding (very quickly). Also, when the Internet is on-line, the explorer and svchost processes are constantly active, with I/O of 25-30 kbps. This ceases when I go offf-line.
Can anyone help? Thanks in advance
Moshe
- Original Message ----- -------------------------------- From: Emeric Miszti To: Moshe Aelion Cc: incidents @ security focus Sent: Saturday, November 16, 2002 12:59 PM Subject: Re: Help - a possible bot
Hi Moshe,
What you are seeing with the incoming port 137 UDP requests is probably
the Opeserv worm. Have a look at
http://antivirus.about.com/library/weekly/aa100102a.htm.
Everyone is seeing a lot of these at the moment and if you have a look at http://isc.incidents.org/ then you will see that port 137 is far and away the most attacked port at the moment.
You can easily identify this kind of activity because the source port of normal UDP 137 traffic is 137 and the destination is port 137. With the worm activity the source port becomes something above 1024 with the destination as 137.
Looking at your fport traces, etc it doesn't look like your PC is infected by Opaserv but what is worrying is that you may be responding to the port probes, thus making you a target for further attack and that may explain the high usage on svchost!
Make sure that you are not infected by Opaserv by checking through the details provided by anti-virus companies such as http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.htm l
Since the PC has been previously hacked I would be very suspicious anyway and wouldn't rely on the firewall doing its job properly. Dameware is a total remote control package so anything could have been installed. Personally I would rebuild the PC and then install a good firewall on a clean box. That is the only way you can ever be 100% sure you are clean.
Regards
-- Emeric Miszti UK Security Online http://www.uksecurityonline.com Tel No: 0870 088 5689 Fax No: 0870 706 2162 PGP Public Key available at http://www.uksecurityonline.com/emeric.asc On Fri, 2002-11-15 at 20:11, Moshe Aelion wrote:Received on Mon Nov 25 12:37:31 2002
> Hi everybody
hacked
> installed DameWare and was trying to work on the computer. It was
discovered
> within about 10 minutes. I then installed ZoneAlarm Pro.
>
> The problem is, I am detecting a suspicious hit/respond activity, which,
in
> my opinion, points to an active bot. Here's the evidence: when inspecting
ZA
> logs, you can see a blocked scan (coming every couple of minutes, from
key
> doesn't show anything suspicious.
phenomenon.
> I also stopped several processes and services and the phenomenon didn't
(flags:S)
> 12 FWIN, 22:07:34, 200.76.64.2:62695, my.net.237.99:137,UDP <--
==================================
>
> Note: the 10.0.0.1:3028 to 10.0.0.138:1723 link is the ADSL pptp.
--
> This list is provided by the SecurityFocus ARIS analyzer service.
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:51 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |