RE: Tool to remotely detect MBlaster infected machines?

From: Graham, Robert (ISS Atlanta) (rgraham_at_iss.net)
Date: 08/15/03

  • Next message: alert-request_at_iss.net: "Re: Thank you!"
    Date: Fri, 15 Aug 2003 17:59:24 -0400
    To: <schwing@tenablesecurity.com>, <focus-ids@securityfocus.com>
    
    

    The original question asked about looking for infected machines, not vulnerable machines.

    Unfortunately, you can't scan for infected machines, because they take down port 135. You could theoretically scan for port 69 or 4444 open on infected machines, those are only open for a short period of time.

    However, for scanning for the vulnerability, ISS shipped a freeware tool:
    http://www.iss.net/support/product_utilities/ms03-026rpc.php
    It quickly scans a class B.

    -----Original Message-----
    From: schwing@tenablesecurity.com [mailto:schwing@tenablesecurity.com]
    Sent: Friday, August 15, 2003 12:24 PM
    To: focus-ids@securityfocus.com
    Subject: Re: Tool to remotely detect MBlaster infected machines?

    In-Reply-To: <1060959531.6927.8.camel@icehouse.is.gatech.edu>

    You can also use Nessus plugin Check 11818 The remote host is infected by
    msblast.exe

    If you need to scan more then one class C at a time you could use the
    Tenable Lightning Console and Proxy to Scan multiple class B's at the same
    time.

    Stephen Schwing
    Tenable Network Security
    www.tenablesecurity.com

    >
    >It is a good tool, but has the drawback of only doing 1 class c at a
    >time.
    >
    >On Fri, 2003-08-15 at 10:50, Ostberg, Alex wrote:
    >> We have had a good experience thus far with the eEye tool
    >> "RetinaRPCDCOM.exe" which is free.
    >>
    >> www.eeye.com
    >>
    >>
    >> Thanks,
    >> Alex O. Ostberg
    >> Data Security Analyst / Network Security Specialist
    >> Information Technology Security Office - Information Technology Services
    >> Division -
    >> Department of Administration - State of Montana
    >> Office: 406.444.4557
    >> Fax: 406.444.2701
    >> Email: aostberg@state.mt.us
    >>
    >>
    >>
    >> -----Original Message-----
    >> From: brad [mailto:nelson.brad@comcast.net]
    >> Sent: Wednesday, August 13, 2003 6:43 PM
    >> To: focus-ids@securityfocus.com
    >> Subject: Tool to remotely detect MBlaster infected machines?
    >>
    >>
    >> Does anyone know of a tool to remotely detect mblast infected
    machines? We
    >> are checking machines with increased flows on 135 and traffic on 69
    udp. Is
    >> there a better way?
    >>
    >> Thanks,
    >> Brad
    >>
    >>
    >>
    >> ------------------------------------------------------------------------

    ---
    >> Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
    >>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    >>  - Automatically Control P2P, IM and Spam Traffic
    >>  - Ensure Reliable Performance of Mission Critical Applications
    >> Precisely Define and Implement Network Security and Performance Policies
    >> **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    >> Visit us at: http://www.captusnetworks.com/ads/31.htm
    >> ------------------------------------------------------------------------
    ---
    >> 
    >> ------------------------------------------------------------------------
    ---
    >> Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
    >>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    >>  - Automatically Control P2P, IM and Spam Traffic
    >>  - Ensure Reliable Performance of Mission Critical Applications
    >> Precisely Define and Implement Network Security and Performance Policies
    >> **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    >> Visit us at: http://www.captusnetworks.com/ads/31.htm
    >> ------------------------------------------------------------------------
    ---
    >> 
    >
    >
    >--------------------------------------------------------------------------
    -
    >Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
    > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > - Automatically Control P2P, IM and Spam Traffic
    > - Ensure Reliable Performance of Mission Critical Applications
    >Precisely Define and Implement Network Security and Performance Policies
    >**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    >Visit us at: http://www.captusnetworks.com/ads/31.htm
    >--------------------------------------------------------------------------
    -
    >
    >
    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
    Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at: http://www.captusnetworks.com/ads/31.htm
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
    Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at: http://www.captusnetworks.com/ads/31.htm
    ---------------------------------------------------------------------------
    

  • Next message: alert-request_at_iss.net: "Re: Thank you!"