[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] Nachi Worm
- To: "Discini, Sonny" <Sonny.Discini@montgomerycountymd.gov>, "David Loyd" <2of2@unimatrix01.us>, <isp-security@isp-securtiy.com>
- Subject: RE: [Full-Disclosure] Nachi Worm
- From: "Norman Girard" <ngirard@qualys.com>
- Date: Thu, 4 Dec 2003 14:32:00 -0800
That's true. As soon as the box is infected, the port 707 is open and offers a
remote shell access. But the port is actually dynamic if the port was already
open before the infection.
The trouble is that Nessus will just tell you that the port is open. And it's
pretty tough to highlight it on a yellow page book report based on couple of
class-B scan... ;-)
-----Original Message-----
From: Discini, Sonny [mailto:Sonny.Discini@montgomerycountymd.gov]
Sent: Thursday, December 04, 2003 2:24 PM
To: Norman Girard; David Loyd; isp-security@isp-securtiy.com
Cc: full-disclosure@lists.netsys.com
Subject: RE: [Full-Disclosure] Nachi Worm
Actually, if you scan for port 707 and it is open, you can be sure that the box
is infected. This is how we pinpoint Welchia/Nachia infections.
Sonny Discini
Network Security Engineer
Department of Technology Services
Enterprise Infrastructure Division
Montgomery County Government
-----Original Message-----
From: Norman Girard [mailto:ngirard@qualys.com]
Sent: Thursday, December 04, 2003 3:32 PM
To: David Loyd; isp-security@isp-securtiy.com
Cc: full-disclosure@lists.netsys.com
Subject: RE: [Full-Disclosure] Nachi Worm
Dave,
You can scan but only through the registry access. You need to provide the
login credentials of the domain...
-----Original Message-----
From: David Loyd [mailto:2of2@unimatrix01.us]
Sent: Thursday, December 04, 2003 11:53 AM
To: isp-security@isp-securtiy.com
Cc: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] Nachi Worm
Does any one know if you can sacn of the nachi worm or the rpc.dcom
vulnerability with nessus
Thanks
Dave