Re: Help - a possible bot

From: Moshe Aelion (ma0934@hotmail.com)
Date: 11/22/02

  • Next message: Jason Frey: "RE: New scanner?" 
    From: "Moshe Aelion" <ma0934@hotmail.com>
To: "H C" <keydet89@yahoo.com>, <incidents@securityfocus.com>
Date: Fri, 22 Nov 2002 16:15:24 +0200

    HC

    Referring to parts of your message:

    >"However, the fact that your system is responding would be indicative of
    something else, possibly w/ your ZA installation".
    What do you mean by that, and how can I confirm/disprove it?

    >Also, since your logs don't show an ICMP port unreachable response (your
    system sent out a UDP datagram), that would indicate that, in fact, >the
    source IPs are NOT spoofed.
    The source addresses are completely random, and they turn up absolutely
    nothing in a reverse resolution and WHOIS queries. In fact, this is
    happening only with the source IP addresses of the probes to which the PC is
    trying to respond; the other probes, ignored by the PC, have a resolved host
    name (you can see it in the ZA log attached). I think this is very
    suspicious - in fact, it's a pretty unique and discernible behavior - is
    anyone familiar with a bot/Trojan behaving this way?

    >Is there anything besides the traffic you posted that would lead you to
    believe that you had something installed on your system?
    Like I mentioned above: 1. The immediate response attempt to the probe; and
    2. The fact that when the Internet is on-line, the explorer and svchost
    processes are constantly active, with I/O of 25-30 kbps. This ceases when I
    go off-line.

    Is this behavior similar to any known bot infection?

    Thanks in advance

    Moshe

    ---------------------------------- Original
    Message ----- ----------------------------------------
    From: H C
    To: incidents@securityfocus.com
    Sent: Saturday, November 16, 2002 3:10 PM
    Subject: re: Help - a possible bot

    > The problem is, I am detecting a suspicious
    hit/respond
    > activity, which, in my opinion, points to an active
    > bot.

    No offense, dude, but you're freaking out over
    nothing. Based on the information you provided, there
    IS no bot (remember "The Matrix"? "There is no
    spoon").

    > Here's the evidence: when inspecting ZA logs, you
    can
    > see a blocked scan (coming every couple of minutes,
    > from arbitrary addresses

    The "scans" you're referring to look like NetBIOS name
    scans...queries to UDP port 137. On normal MS
    networks, these "scans" would originate from UDP port
    137, as well. So...they MAY be scans of some kind.
    However, the fact that your system is responding would
    be indicative of something else, possibly w/ your ZA
    installation.

    > - I bet they're spoofed

    Well, that's not "evidence", now, is it? Also, since
    your logs don't show an ICMP port unreachable response
    (your system sent out a UDP datagram), that would
    indicate that, in fact, the source IPs are NOT
    spoofed.

    Also, there's nothing in the netstat and fport outputs
    that you sent that seem to indicate that you have any
    sort of bot or trojan at all. Is there anything
    besides the traffic you posted that would lead you to
    believe that you had something installed on your
    system?

    HTH

    __________________________________________________
    Do you Yahoo!?
    Yahoo! Web Hosting - Let the expert host your site
    http://webhosting.yahoo.com

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    • Quantcast