Re: Help - a possible bot
From: Jon Nelson (quincy@linuxnotes.net)
Date: 11/16/02
- Previous message: Nick FitzGerald: "Re: Help - a possible bot"
- In reply to: Moshe Aelion: "Help - a possible bot"
- Next in thread: Emeric Miszti: "Re: Help - a possible bot"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 16 Nov 2002 09:47:00 -0500 (EST) From: "Jon Nelson" <quincy@linuxnotes.net> To: <incidents@securityfocus.com>
Moshe Aelion said:
> Hi everybody
>
> discovered within about 10 minutes. I then installed ZoneAlarm Pro.
Did you have a firewall before? Now that you have one you'll see how much
137/udp traffic you get, it's a lot.
>
> inspecting ZA logs, you can see a blocked scan (coming every couple of
> minutes, from arbitrary addresses - I bet they're spoofed - and soon
> after, the computer responds with a (blocked) attempt to communicated
> with that address. This points to an active bot (in my opinion)
I don't see where "...the computer immediately tries to respond" All the
incoming attempts are NetBios 137/udp and the RuLaunch is HTTP (80/tcp)
and not to the same IP.
>8 ACCESS,22:01:52,RuLaunch blocked from connecting to Internet
>(216.49.88.100:HTTP)
As far as the program being blocked, a google search for "RuLaunch" shows
that it is Macafee, your antivirus software. It's probably checking for
updates/registration.
Jon
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: Emeric Miszti: "Re: Help - a possible bot"
- Previous message: Nick FitzGerald: "Re: Help - a possible bot"
- In reply to: Moshe Aelion: "Help - a possible bot"
- Next in thread: Emeric Miszti: "Re: Help - a possible bot"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
