Re: Detecting Blaster

From: Brian DeLine (Brian_DeLine_at_hermanmiller.com)
Date: 08/14/03

Next message: Stuart: "RE: New variant. Blast.b"

Previous message: Michael Schneider: "RE: DCOM patch + Exchange"
In reply to: Bob Sadler: "Detecting Blaster"
Next in thread: Harlan Carvey: "Re: Detecting Blaster"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: focus-ms@securityfocus.com
Date: Thu, 14 Aug 2003 16:17:53 -0400

You can also monitor your firewall logs for outbound attempts against port 4444/TCP.
You can find host on the same LAN by configuring Ethereal to look for ARP requests. Infected host will be generating incremental ARP requests that should be quite distinctive.

                      "Bob Sadler"
                      <bobs@LEAWOOD.ORG To: <focus-ms@securityfocus.com>
> cc:
                                               Subject: Detecting Blaster
                      08/14/2003 01:14
                      PM

I have been trying to figure out if there is a way that I can detect
signs of Blaster on a large number of machines on a network without
having to actually visit each one.

I have a port scanner (Ethereal) and have it setup to look at any frame
with destination port 135. Is there a better way to do this, or is the
way I'm trying to do this all wrong in the first place?

Bob Sadler
City of Leawood, KS, USA
WAN/Internet Specialist
913-339-6700 x194

Get a Life! Get TWO! Play Second Life!
http://secondlife.com/ss/?u=b4ebbfdd6af98a027fa7e89a86c55a68

---------------------------------------------------------------------------
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
---------------------------------------------------------------------------

Next message: Stuart: "RE: New variant. Blast.b"

Previous message: Michael Schneider: "RE: DCOM patch + Exchange"
In reply to: Bob Sadler: "Detecting Blaster"
Next in thread: Harlan Carvey: "Re: Detecting Blaster"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: What the heck is this msblast.exe
... What the heck is this msblast.exe ... |Your network firewall and IDS products do not prevent Web application ... |attacks - the most common form of online exploitation- resulting in Web ... |Download a FREE whitepaper on "Security Policy Automation for Web ...
(Focus-Microsoft)
RE: What the heck is this msblast.exe
... |Your network firewall and IDS products do not prevent Web application ... |attacks - the most common form of online exploitation- resulting in Web ... |Download a FREE whitepaper on "Security Policy Automation for Web ...
(Focus-Microsoft)
RE: What the heck is this msblast.exe
... |Your network firewall and IDS products do not prevent Web application ... |attacks - the most common form of online exploitation- resulting in Web ... |Download a FREE whitepaper on "Security Policy Automation for Web ...
(Focus-Microsoft)
RE: DCOM RPC exploit as a virus/trojan?
... Your network firewall and IDS products do not prevent Web application ... attacks - the most common form of online exploitation- resulting in ... Download a FREE whitepaper on "Security Policy Automation for Web ...
(Focus-Microsoft)
RE: What the heck is this msblast.exe
... Your network firewall and IDS products do not prevent Web application ... Download a FREE whitepaper on "Security Policy Automation for Web ...
(Focus-Microsoft)