Исходное сообщение
"Трабла с Безопасностью !!!!" Отправлено Kadr, 13-Окт-03 01:27
Это Nachi worm у тебя на Винбоксах http://vil.nai.com/vil/content/v_100559.htm Ничего что я на Английском выдержку дам? The rash of ping scans we have been seeing are most likely the results  of the Nachi/Welchia worm (see  http://vil.nai.com/vil/content/v_100559.htm and  http://securityresponse.symantec.com/avcenter/venc/data/ w32.welchia.worm.html). Nachi sends out ICMP ECHO_REQUEST packets with  an ip data length of 92 bytes, so I've been using a very simple tcpdump  to detect infected machines: /usr/sbin/tcpdump -n -l -i em0 "icmp[0] = 8 and ip[3] = 92" One other good tool for detecting compromised machines is to look for  computers with port 139 and 445 open, and port 135 closed. Since port  135 is normally open on a default Windows install, finding the  Filesharing ports open but the RPC port closed is often an indicator of  a machine that has been compromised, but where the clever worm then  closes the RPC vulnerability so that it cannot be further exploited. I  use a simple nmap script: nmap -sU -sT -oG - -p 135,139,445 YOUR_IP_RANGE | grep 445 | grep 139 |  grep -v 135 | awk '{print $2,$3}' Note that this is not a perfect scan, as the port 135 only tends to be  closed until the computer is rebooted for the first time after the  machine is compromised. Other good ports to scan for are 69 (tftp),  3221, and 6351 (used by the hale worm  (http://securityresponse.symantec.com/avcenter/venc/data/ backdoor.hale.html)). A quick way to scan for Nachi/Welchia is to look for an open port 707/tcp on a host. I use: nmap -oG - -p 707 your_ip_range | grep 707/open | awk '{print $2, $3}' to detect hosts.

Ваше сообщение
Имя*:
EMail:	Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email). Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.
Заголовок*:
Сообщение*:	> Это Nachi worm у тебя на Винбоксах > http://vil.nai.com/vil/content/v_100559.htm > Ничего что я на Английском выдержку дам? > The rash of ping scans we have been seeing are most likely > the results of the Nachi/Welchia worm (see http://vil.nai.com/vil/content/v_100559.htm > and http://securityresponse.symantec.com/avcenter/venc/data/ w32.welchia.worm.html). > Nachi sends out ICMP ECHO_REQUEST packets with an ip data > length of 92 bytes, so I've been using a very simple > tcpdump to detect infected machines: > /usr/sbin/tcpdump -n -l -i em0 "icmp[0] = 8 and ip[3] = 92" > One other good tool for detecting compromised machines is to look for > computers with port 139 and 445 open, and port 135 > closed. Since port 135 is normally open on a default > Windows install, finding the Filesharing ports open but the RPC > port closed is often an indicator of a machine that > has been compromised, but where the clever worm then closes > the RPC vulnerability so that it cannot be further exploited. I > use a simple nmap script: > nmap -sU -sT -oG - -p 135,139,445 YOUR_IP_RANGE | grep 445 | > grep 139 | grep -v 135 | awk '{print $2,$3}' > Note that this is not a perfect scan, as the port 135 > only tends to be closed until the computer is rebooted > for the first time after the machine is compromised. Other > good ports to scan for are 69 (tftp), 3221, and > 6351 (used by the hale worm (http://securityresponse.symantec.com/avcenter/venc/data/ > backdoor.hale.html)). > A quick way to scan for Nachi/Welchia is to look for an > open port 707/tcp on a host. I use: > nmap -oG - -p 707 your_ip_range | grep 707/open | awk '{print > $2, $3}' > to detect hosts.
	Введите код, изображенный на картинке: