There is a minor difference in how a machine patched for real against MS08-067 and a machine infected with Conficker, patching the vulnerability partly react.
All this just surfaced this weekend. On the site you quote you find all details and some python scripts implementing it. cheers, Toralv > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of RandallM > Sent: Mittwoch, 1. April 2009 03:14 > To: funsec > Cc: Michael Quinn; Brent/work > Subject: [funsec] question on scanning for conflicker > > what is a common thing to notice about scanning for > conflicker? One site said a simple scan can disquish between > clean and unclean ..: > > "Another option is to actively scan for Conficker machines. > There is a way to distinguish infected machines from clean > ones based on the error code for some specially crafted RPC > messages. Conficker tries to filter out further exploitation > attempts which results in uncommon responses" > http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker > > > Therefore, does this mean it gives what kind of response > back..closes the response or what? What "error code " will it produce? > > > Some results I did today using Nmap had some close it and > others doing an syn-ack back > > > one result: > > Host 10.0.1.40 appears to be up ... good. > Scanned at 2009-03-31 15:19:19 Central Daylight Time for 2s > Interesting ports on 10.0.1.40: > PORT STATE SERVICE REASON > 445/tcp closed microsoft-ds reset > Final times for host: srtt: 0 rttvar: 5000 to: 100000 > > and then another was: > > Host colossus.magnet.local (10.0.1.42) appears to be up ... good. > Scanned at 2009-03-31 15:19:19 Central Daylight Time for 4s > Interesting ports on colossus.magnet.local (10.0.1.42): > PORT STATE SERVICE REASON > 445/tcp open microsoft-ds syn-ack > > Host script results: > | smb-check-vulns: > | MS08-067: NOT RUN > | Conficker: Likely CLEAN > |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run) > Final times for host: srtt: 0 rttvar: 5000 to: 100000 > > > > if I understand the above results it seems the "reset" is my concern. > Others just said "no-response" meaning not open perhaps. > > Anyone input for me? > > -- > been great, thanks > Big R a.k.a System > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > Firmensitz: Muenchen Amtsgericht: AG Muenchen Handelsregister: HRB 144340 Geschaeftsfuehrer: Emmet Russell, Keith Krzeminski, Douglas Rice Bankverbindung: ABN-Amro Bank N.V. Konto 671 211 9006 UST-ID: DE168122444 _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
