RE: Subseven Scans

From: H C (keydet89at_private)
Date: Tue Aug 13 2002 - 10:46:49 PDT

  • Next message: Greg A. Woods: "Re: Odd scans and stuff bouncing off firewalls"

    > A recon probe against the attacking hosts that were
    > up, indicated that they
    > are all windows hosts, all with port 139 open to the
    > public. Some hosts did
    > show signs of being compromised and had virus'
    > present. 
    Interesting.  How was this determined?
    > It was determined
    > that all attacking hosts are unknowingly being used
    > to attack other systems.
    Really?  How so?  Were you able to conduct a virus
    scan of the attacking hosts and determine that the
    Trojan or controlling software was actually being
    used?  After all, one cannot conclusively determine,
    even on an infected system, that the user of the
    attacking host was unaware that it was infected, and
    had conducted a port scan.  After all, nmap 3.0 was
    recently released...and yes, it does run on Win32
    (precompiled binary available).  
    The above statement is simply too emphatic for me,
    without more information.  At best, one can say that
    it was determined with a relative degree of certainty
    that the attacking host was unknowingly used to attack
    other systems.
    This goes back to what I mentioned earlier to
    Rob...until someone posts some speculation (including
    non-reproducable verification steps...or not) and in
    the end, the community really hasn't benefited
    I'm glad to see that someone took a look at the
    hosts...Rob sent me some info about the majority being
    from Korea...but I think that it would benefit the
    community as a whole to know how those steps were was it determined that the systems
    were infected, and how was it determined that the
    infection, the malware installed, was actually what
    was doing the scanning, and not a port scanner?
    Do You Yahoo!?
    HotJobs - Search Thousands of New Jobs
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 11:27:31 PDT