Hosting Provided By

Re: Help - a possible bot

From: Moshe Aelion <ma0934(at)hotmail.com>
Date: Fri Nov 22 2002 - 09:15:24 EST

>"However, the fact that your system is responding would be indicative of
something else, possibly w/ your ZA installation". What do you mean by that, and how can I confirm/disprove it?

>Also, since your logs don't show an ICMP port unreachable response (your
system sent out a UDP datagram), that would indicate that, in fact, >the source IPs are NOT spoofed.
The source addresses are completely random, and they turn up absolutely nothing in a reverse resolution and WHOIS queries. In fact, this is happening only with the source IP addresses of the probes to which the PC is trying to respond; the other probes, ignored by the PC, have a resolved host name (you can see it in the ZA log attached). I think this is very suspicious - in fact, it's a pretty unique and discernible behavior - is anyone familiar with a bot/Trojan behaving this way?

>Is there anything besides the traffic you posted that would lead you to
believe that you had something installed on your system? Like I mentioned above: 1. The immediate response attempt to the probe; and 2. The fact that when the Internet is on-line, the explorer and svchost processes are constantly active, with I/O of 25-30 kbps. This ceases when I go off-line.

Is this behavior similar to any known bot infection?

Thanks in advance

Do you need help?

Moshe

Original Message ----- ---------------------------------------- From: H C To: incidents@securityfocus.com Sent: Saturday, November 16, 2002 3:10 PM Subject: re: Help - a possible bot

> The problem is, I am detecting a suspicious
hit/respond
> activity, which, in my opinion, points to an active

No offense, dude, but you're freaking out over nothing. Based on the information you provided, there IS no bot (remember "The Matrix"? "There is no spoon").

> Here's the evidence: when inspecting ZA logs, you
can
> see a blocked scan (coming every couple of minutes,

The "scans" you're referring to look like NetBIOS name scans...queries to UDP port 137. On normal MS networks, these "scans" would originate from UDP port 137, as well. So...they MAY be scans of some kind. However, the fact that your system is responding would be indicative of something else, possibly w/ your ZA installation.

> - I bet they're spoofed

Well, that's not "evidence", now, is it? Also, since your logs don't show an ICMP port unreachable response (your system sent out a UDP datagram), that would indicate that, in fact, the source IPs are NOT spoofed.

Also, there's nothing in the netstat and fport outputs that you sent that seem to indicate that you have any sort of bot or trojan at all. Is there anything besides the traffic you posted that would lead you to believe that you had something installed on your system?

Do you need more help?

HTH

Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Nov 25 13:07:34 2002

This message: [ Message body ]
Next message: Jonathan Bloomquist: "RE: Proxy server hit... Any ideas?"
Previous message: Joswiak, Johnny G.: "RE: FTP and Win2K changed security policy"
In reply to H C: "re: Help - a possible bot"
Next in thread: Ryan Yagatich: "Re: Help - a possible bot"
Reply: Ryan Yagatich: "Re: Help - a possible bot"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:51 EDT