RE: Subseven Scans

From: H C (keydet89at_private)
Date: Tue Aug 13 2002 - 10:46:49 PDT

Next message: Greg A. Woods: "Re: Odd scans and stuff bouncing off firewalls"

Previous message: Craig Billado: "Re: Odd scans and stuff bouncing off firewalls"
In reply to: Robert Buckley: "RE: Subseven Scans"
Next in thread: Robert Buckley: "RE: Subseven Scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> A recon probe against the attacking hosts that were
> up, indicated that they
> are all windows hosts, all with port 139 open to the
> public. Some hosts did
> show signs of being compromised and had virus'
> present. 

Interesting.  How was this determined?

> It was determined
> that all attacking hosts are unknowingly being used
> to attack other systems.

Really?  How so?  Were you able to conduct a virus
scan of the attacking hosts and determine that the
Trojan or controlling software was actually being
used?  After all, one cannot conclusively determine,
even on an infected system, that the user of the
attacking host was unaware that it was infected, and
had conducted a port scan.  After all, nmap 3.0 was
recently released...and yes, it does run on Win32
(precompiled binary available).  

The above statement is simply too emphatic for me,
without more information.  At best, one can say that
it was determined with a relative degree of certainty
that the attacking host was unknowingly used to attack
other systems.

This goes back to what I mentioned earlier to
Rob...until someone posts some speculation (including
non-reproducable verification steps...or not) and in
the end, the community really hasn't benefited
overall.  

I'm glad to see that someone took a look at the
hosts...Rob sent me some info about the majority being
from Korea...but I think that it would benefit the
community as a whole to know how those steps were
conducted...how was it determined that the systems
were infected, and how was it determined that the
infection, the malware installed, was actually what
was doing the scanning, and not a port scanner?
 


__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Greg A. Woods: "Re: Odd scans and stuff bouncing off firewalls"
Previous message: Craig Billado: "Re: Odd scans and stuff bouncing off firewalls"
In reply to: Robert Buckley: "RE: Subseven Scans"
Next in thread: Robert Buckley: "RE: Subseven Scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 11:27:31 PDT