Re: Help - a possible bot

From: Jon Nelson (quincy@linuxnotes.net)
Date: 11/16/02

  • Next message: Emeric Miszti: "Re: Help - a possible bot"
    Date: Sat, 16 Nov 2002 09:47:00 -0500 (EST)
    From: "Jon Nelson" <quincy@linuxnotes.net>
    To: <incidents@securityfocus.com>
    
    

    Moshe Aelion said:
    > Hi everybody
    >
    > discovered within about 10 minutes. I then installed ZoneAlarm Pro.

    Did you have a firewall before? Now that you have one you'll see how much
    137/udp traffic you get, it's a lot.

    >
    > inspecting ZA logs, you can see a blocked scan (coming every couple of
    > minutes, from arbitrary addresses - I bet they're spoofed - and soon
    > after, the computer responds with a (blocked) attempt to communicated
    > with that address. This points to an active bot (in my opinion)

    I don't see where "...the computer immediately tries to respond" All the
    incoming attempts are NetBios 137/udp and the RuLaunch is HTTP (80/tcp)
    and not to the same IP.

    >8 ACCESS,22:01:52,RuLaunch blocked from connecting to Internet
    >(216.49.88.100:HTTP)

    As far as the program being blocked, a google search for "RuLaunch" shows
    that it is Macafee, your antivirus software. It's probably checking for
    updates/registration.

    Jon

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com