Это Nachi worm у тебя на Винбоксах
http://vil.nai.com/vil/content/v_100559.htmНичего что я на Английском выдержку дам?
The rash of ping scans we have been seeing are most likely the results of the Nachi/Welchia worm (see http://vil.nai.com/vil/content/v_100559.htm and http://securityresponse.symantec.com/avcenter/venc/data/ w32.welchia.worm.html). Nachi sends out ICMP ECHO_REQUEST packets with an ip data length of 92 bytes, so I've been using a very simple tcpdump to detect infected machines:
/usr/sbin/tcpdump -n -l -i em0 "icmp[0] = 8 and ip[3] = 92"
One other good tool for detecting compromised machines is to look for computers with port 139 and 445 open, and port 135 closed. Since port 135 is normally open on a default Windows install, finding the Filesharing ports open but the RPC port closed is often an indicator of a machine that has been compromised, but where the clever worm then closes the RPC vulnerability so that it cannot be further exploited. I use a simple nmap script:
nmap -sU -sT -oG - -p 135,139,445 YOUR_IP_RANGE | grep 445 | grep 139 | grep -v 135 | awk '{print $2,$3}'
Note that this is not a perfect scan, as the port 135 only tends to be closed until the computer is rebooted for the first time after the machine is compromised. Other good ports to scan for are 69 (tftp), 3221, and 6351 (used by the hale worm (http://securityresponse.symantec.com/avcenter/venc/data/ backdoor.hale.html)).
A quick way to scan for Nachi/Welchia is to look for an open port 707/tcp on a host. I use:
nmap -oG - -p 707 your_ip_range | grep 707/open | awk '{print $2, $3}'
to detect hosts.