Honestly,
If you haven't been reading on ISC ( isc.sans.org) about the methods that the Downadump and Conflicker worm is working itself way through systems, you might want to take a sniff of that traffic and verify you aren't also under attack from Downadump, being propagated from a Algom Bot at the same time. Folks Symantec research have a really nice write up of what its doing. Z Edward E. Ziots Network Engineer Lifespan Organization Email: [email protected] Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + ________________________________ From: David McSpadden [mailto:[email protected]] Sent: Thursday, January 29, 2009 10:18 AM To: NT System Admin Issues Subject: RE: agobot in the wild??? I am still a virgin on the app but the reports I am looking at it is any traffic on any port. So as I understand you the VPN'ed pc is getting it's RPC's through port 1025. I wonder why some of the other clients aren't getting the same results from FireGen. I will keep looking. Thanks for the info. ________________________________ From: Jake Gardner [mailto:[email protected]] Sent: Thursday, January 29, 2009 10:17 AM To: NT System Admin Issues Subject: RE: agobot in the wild??? Port 1025 is the MS RPC service. Does FireGen look for particular types of traffic or just any traffic on a port? Thanks, Jake Gardner TTC Network Administrator Ext. 246 ________________________________ From: David McSpadden [mailto:[email protected]] Sent: Thursday, January 29, 2009 9:48 AM To: NT System Admin Issues Subject: agobot in the wild??? I have a concern that a VPN client workstation might have a worm. But only based FireGen reporting tools. Here is a sample of the protocols being used by the client for 1 day. They use Cisco VPN Client to remote in and then use Ultra VNC to stumble around. It is one of my operators so I can just reghost her machine but the Trojan and agobot-worm only talk we my DC's. My feeling is that this is a false positive Because the virii scanner is up to date, spybot is up to date, and I ran an agobot scanner and found nothing. Anyways, has anyone seen this kind of activity on their Windows 2003 Networks using Windows XP clients? Used protocols: - Go to top <file:///C:\Program%20Files\FireGenPix2\html\ip-2009-01-29-093124-ipfore nsics-192_168_100_7.html#top#top> Service First used Last used Connections Protocol: netbios ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=netbios> UDP/138 <http://www.eventid.net/displayprot.asp?protocol=138> ) Jan 28 2009 00:30:29 Jan 28 2009 23:48:47 373 Protocol: netbios ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=netbios> UDP/137 <http://www.eventid.net/displayprot.asp?protocol=137> ) Jan 28 2009 01:22:46 Jan 28 2009 23:54:37 320 Protocol: ldap ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=ldap> UDP/389 <http://www.eventid.net/displayprot.asp?protocol=389> ) Jan 28 2009 01:39:52 Jan 28 2009 23:55:47 174 Protocol: dns ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=dns> UDP/53 <http://www.eventid.net/displayprot.asp?protocol=53> ) Jan 28 2009 03:00:07 Jan 28 2009 23:55:47 163 Protocol: TCP/82 <http://www.eventid.net/displayprot.asp?protocol=82> Jan 28 2009 04:39:02 Jan 28 2009 23:54:23 132 Protocol: kerberos ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=kerberos> TCP/88 <http://www.eventid.net/displayprot.asp?protocol=88> ) Jan 28 2009 06:09:05 Jan 28 2009 23:55:49 126 Protocol: netbios ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=netbios> TCP/445 <http://www.eventid.net/displayprot.asp?protocol=445> ) Jan 28 2009 06:09:04 Jan 28 2009 23:55:47 92 Protocol: ms rpc ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=ms%20rpc> TCP/135 <http://www.eventid.net/displayprot.asp?protocol=135> ) Jan 28 2009 00:05:37 Jan 28 2009 23:44:49 43 Protocol: netbios ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=netbios> TCP/139 <http://www.eventid.net/displayprot.asp?protocol=139> ) Jan 28 2009 06:33:02 Jan 28 2009 23:48:47 43 Protocol: agobot-worm ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=agobot-worm> TCP/1025 <http://www.eventid.net/displayprot.asp?protocol=1025> ) Jan 28 2009 06:39:59 Jan 28 2009 23:44:50 29 Protocol: trojan ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=trojan> TCP/1026 <http://www.eventid.net/displayprot.asp?protocol=1026> ) Jan 28 2009 06:30:27 Jan 28 2009 23:15:26 19 Protocol: ldap ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=ldap> TCP/389 <http://www.eventid.net/displayprot.asp?protocol=389> ) Jan 28 2009 06:46:44 Jan 28 2009 22:46:01 2 Protocol: vnc ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=vnc> TCP/5900 <http://www.eventid.net/displayprot.asp?protocol=5900> ) Jan 28 2009 21:31:05 Jan 28 2009 21:31:05 1 This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. ***Teletronics Technology Corporation*** This e-mail is confidential and may also be privileged. If you are not the addressee or authorized by the addressee to receive this e-mail, you may not disclose, copy, distribute, or use this e-mail. If you have received this e-mail in error, please notify the sender immediately by reply e-mail or by telephone at 267-352-2020 and destroy this message and any copies. Thank you. ******************************************************************* ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
