re: Help - a possible bot

From: H C (keydet89@yahoo.com)
Date: 11/16/02

Next message: Dan Perez: "RE: Help - a possible bot"

Previous message: Christian Schwede: "Strange Apache logs - maybe DDOS?"
Maybe in reply to: Moshe Aelion: "Help - a possible bot"
Next in thread: Moshe Aelion: "Re: Help - a possible bot"
Reply: Moshe Aelion: "Re: Help - a possible bot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 16 Nov 2002 05:10:47 -0800 (PST)
From: H C <keydet89@yahoo.com>
To: incidents@securityfocus.com

> The problem is, I am detecting a suspicious
hit/respond
> activity, which, in my opinion, points to an active
> bot.

No offense, dude, but you're freaking out over
nothing. Based on the information you provided, there
IS no bot (remember "The Matrix"? "There is no
spoon").

> Here's the evidence: when inspecting ZA logs, you
can
> see a blocked scan (coming every couple of minutes,
> from arbitrary addresses

The "scans" you're referring to look like NetBIOS name
scans...queries to UDP port 137. On normal MS
networks, these "scans" would originate from UDP port
137, as well. So...they MAY be scans of some kind.
However, the fact that your system is responding would
be indicative of something else, possibly w/ your ZA
installation.

> - I bet they're spoofed

Well, that's not "evidence", now, is it? Also, since
your logs don't show an ICMP port unreachable response
(your system sent out a UDP datagram), that would
indicate that, in fact, the source IPs are NOT
spoofed.

Also, there's nothing in the netstat and fport outputs
that you sent that seem to indicate that you have any
sort of bot or trojan at all. Is there anything
besides the traffic you posted that would lead you to
believe that you had something installed on your
system?

HTH

__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Next message: Dan Perez: "RE: Help - a possible bot"
Previous message: Christian Schwede: "Strange Apache logs - maybe DDOS?"
Maybe in reply to: Moshe Aelion: "Help - a possible bot"
Next in thread: Moshe Aelion: "Re: Help - a possible bot"
Reply: Moshe Aelion: "Re: Help - a possible bot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]