|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Detecting Blaster
From: James Riden (j.riden
massey.ac.nz)
Date: Thu Aug 14 2003 - 15:33:01 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
"Bob Sadler" <bobsLEAWOOD.ORG> writes:
> I have been trying to figure out if there is a way that I can detect
> signs of Blaster on a large number of machines on a network without
> having to actually visit each one.
>
> I have a port scanner (Ethereal) and have it setup to look at any frame
> with destination port 135. Is there a better way to do this, or is the
> way I'm trying to do this all wrong in the first place?
Scanning through port 135, incrementing the IP address by one each
time is pretty typical for this worm. But I'd use e.g. snort's
portscan detection to pull out the portscans and then do some analysis
with a perl script.
There's a lot of traffic out there and you don't want to be looking at
it by hand.
cheers,
Jamie
--
James Riden / j.ridenmassey.ac.nz / Systems Programmer - Security
GPG public key available at: http://www.massey.ac.nz/~jriden/
This post does not necessarily represent the views of my employer.
---------------------------------------------------------------------------
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
---------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]