RE: Tool to remotely detect MBlaster infected machines?

From: Graham, Robert (ISS Atlanta) (rgraham_at_iss.net)
Date: 08/15/03

Next message: alert-request_at_iss.net: "Re: Thank you!"

Previous message: Graham, Robert (ISS Atlanta): "RE: Belaboring the point of FPs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 15 Aug 2003 17:59:24 -0400
To: <schwing@tenablesecurity.com>, <focus-ids@securityfocus.com>

The original question asked about looking for infected machines, not vulnerable machines.

Unfortunately, you can't scan for infected machines, because they take down port 135. You could theoretically scan for port 69 or 4444 open on infected machines, those are only open for a short period of time.

However, for scanning for the vulnerability, ISS shipped a freeware tool:
http://www.iss.net/support/product_utilities/ms03-026rpc.php
It quickly scans a class B.

-----Original Message-----
From: schwing@tenablesecurity.com [mailto:schwing@tenablesecurity.com]
Sent: Friday, August 15, 2003 12:24 PM
To: focus-ids@securityfocus.com
Subject: Re: Tool to remotely detect MBlaster infected machines?

In-Reply-To: <1060959531.6927.8.camel@icehouse.is.gatech.edu>

You can also use Nessus plugin Check 11818 The remote host is infected by
msblast.exe

If you need to scan more then one class C at a time you could use the
Tenable Lightning Console and Proxy to Scan multiple class B's at the same
time.

Stephen Schwing
Tenable Network Security
www.tenablesecurity.com

>
>It is a good tool, but has the drawback of only doing 1 class c at a
>time.
>
>On Fri, 2003-08-15 at 10:50, Ostberg, Alex wrote:
>> We have had a good experience thus far with the eEye tool
>> "RetinaRPCDCOM.exe" which is free.
>>
>> www.eeye.com
>>
>>
>> Thanks,
>> Alex O. Ostberg
>> Data Security Analyst / Network Security Specialist
>> Information Technology Security Office - Information Technology Services
>> Division -
>> Department of Administration - State of Montana
>> Office: 406.444.4557
>> Fax: 406.444.2701
>> Email: aostberg@state.mt.us
>>
>>
>>
>> -----Original Message-----
>> From: brad [mailto:nelson.brad@comcast.net]
>> Sent: Wednesday, August 13, 2003 6:43 PM
>> To: focus-ids@securityfocus.com
>> Subject: Tool to remotely detect MBlaster infected machines?
>>
>>
>> Does anyone know of a tool to remotely detect mblast infected
machines? We
>> are checking machines with increased flows on 135 and traffic on 69
udp. Is
>> there a better way?
>>
>> Thanks,
>> Brad
>>
>>
>>
>> ------------------------------------------------------------------------

---
>> Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
>>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>>  - Automatically Control P2P, IM and Spam Traffic
>>  - Ensure Reliable Performance of Mission Critical Applications
>> Precisely Define and Implement Network Security and Performance Policies
>> **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
>> Visit us at: http://www.captusnetworks.com/ads/31.htm
>> ------------------------------------------------------------------------
---
>> 
>> ------------------------------------------------------------------------
---
>> Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
>>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>>  - Automatically Control P2P, IM and Spam Traffic
>>  - Ensure Reliable Performance of Mission Critical Applications
>> Precisely Define and Implement Network Security and Performance Policies
>> **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
>> Visit us at: http://www.captusnetworks.com/ads/31.htm
>> ------------------------------------------------------------------------
---
>> 
>
>
>--------------------------------------------------------------------------
-
>Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Automatically Control P2P, IM and Spam Traffic
> - Ensure Reliable Performance of Mission Critical Applications
>Precisely Define and Implement Network Security and Performance Policies
>**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
>Visit us at: http://www.captusnetworks.com/ads/31.htm
>--------------------------------------------------------------------------
-
>
>
---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------

Next message: alert-request_at_iss.net: "Re: Thank you!"

Previous message: Graham, Robert (ISS Atlanta): "RE: Belaboring the point of FPs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]