FireGen has a config file for known traffic across know ports. It just happens the agobot and some worm used 1025 and 1026 at some point the FireGen lifecycle so they are hard coded as such. After talking with the support and looking at the ethereal packet traces we remarked out those ports/virii. As long as I know I have current virii scanners on all pc's on my network I won't worry about the agobot. If I see continued traffic I will report it to the virii people and let them determine if I have a newly found watchamagig on my network.
Thanks again for the shared knowledge. You all responded 12 hours faster than the support tech's did and even though it wasn't anything we thought looking down those avenues always expands my knowledge of what might be out there... :-) ________________________________ From: Ken Schaefer [mailto:[email protected]] Sent: Thursday, January 29, 2009 10:18 PM To: NT System Admin Issues Subject: RE: agobot in the wild??? 135 is the RPC Port Mapper. RPC services use random port numbers > 1024. There is nothing special about 1025 except that it's the first port above 1024 Cheers Ken From: Jake Gardner [mailto:[email protected]] Sent: Friday, 30 January 2009 2:17 AM To: NT System Admin Issues Subject: RE: agobot in the wild??? Port 1025 is the MS RPC service. Does FireGen look for particular types of traffic or just any traffic on a port? Thanks, Jake Gardner TTC Network Administrator Ext. 246 ________________________________ From: David McSpadden [mailto:[email protected]] Sent: Thursday, January 29, 2009 9:48 AM To: NT System Admin Issues Subject: agobot in the wild??? I have a concern that a VPN client workstation might have a worm. But only based FireGen reporting tools. Here is a sample of the protocols being used by the client for 1 day. They use Cisco VPN Client to remote in and then use Ultra VNC to stumble around. It is one of my operators so I can just reghost her machine but the Trojan and agobot-worm only talk we my DC's. My feeling is that this is a false positive Because the virii scanner is up to date, spybot is up to date, and I ran an agobot scanner and found nothing. Anyways, has anyone seen this kind of activity on their Windows 2003 Networks using Windows XP clients? Used protocols: - Go to top <file:///C:\Program%20Files\FireGenPix2\html\ip-2009-01-29-093124-ipfore nsics-192_168_100_7.html#top#top> Service First used Last used Connections Protocol: netbios ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=netbios> UDP/138 <http://www.eventid.net/displayprot.asp?protocol=138> ) Jan 28 2009 00:30:29 Jan 28 2009 23:48:47 373 Protocol: netbios ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=netbios> UDP/137 <http://www.eventid.net/displayprot.asp?protocol=137> ) Jan 28 2009 01:22:46 Jan 28 2009 23:54:37 320 Protocol: ldap ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=ldap> UDP/389 <http://www.eventid.net/displayprot.asp?protocol=389> ) Jan 28 2009 01:39:52 Jan 28 2009 23:55:47 174 Protocol: dns ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=dns> UDP/53 <http://www.eventid.net/displayprot.asp?protocol=53> ) Jan 28 2009 03:00:07 Jan 28 2009 23:55:47 163 Protocol: TCP/82 <http://www.eventid.net/displayprot.asp?protocol=82> Jan 28 2009 04:39:02 Jan 28 2009 23:54:23 132 Protocol: kerberos ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=kerberos> TCP/88 <http://www.eventid.net/displayprot.asp?protocol=88> ) Jan 28 2009 06:09:05 Jan 28 2009 23:55:49 126 Protocol: netbios ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=netbios> TCP/445 <http://www.eventid.net/displayprot.asp?protocol=445> ) Jan 28 2009 06:09:04 Jan 28 2009 23:55:47 92 Protocol: ms rpc ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=ms%20rpc> TCP/135 <http://www.eventid.net/displayprot.asp?protocol=135> ) Jan 28 2009 00:05:37 Jan 28 2009 23:44:49 43 Protocol: netbios ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=netbios> TCP/139 <http://www.eventid.net/displayprot.asp?protocol=139> ) Jan 28 2009 06:33:02 Jan 28 2009 23:48:47 43 Protocol: agobot-worm ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=agobot-worm> TCP/1025 <http://www.eventid.net/displayprot.asp?protocol=1025> ) Jan 28 2009 06:39:59 Jan 28 2009 23:44:50 29 Protocol: trojan ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=trojan> TCP/1026 <http://www.eventid.net/displayprot.asp?protocol=1026> ) Jan 28 2009 06:30:27 Jan 28 2009 23:15:26 19 Protocol: ldap ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=ldap> TCP/389 <http://www.eventid.net/displayprot.asp?protocol=389> ) Jan 28 2009 06:46:44 Jan 28 2009 22:46:01 2 Protocol: vnc ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=vnc> TCP/5900 <http://www.eventid.net/displayprot.asp?protocol=5900> ) Jan 28 2009 21:31:05 Jan 28 2009 21:31:05 1 This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. ***Teletronics Technology Corporation*** This e-mail is confidential and may also be privileged. If you are not the addressee or authorized by the addressee to receive this e-mail, you may not disclose, copy, distribute, or use this e-mail. If you have received this e-mail in error, please notify the sender immediately by reply e-mail or by telephone at 267-352-2020 and destroy this message and any copies. Thank you. ******************************************************************* This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
