You are not logged in.
Sometimes we have to protect our networks from nasties, conficker may be one of those, yet to be determined.
However, better prepared than not. confiker is of course a "windows" worm, but having a Linux machine available to scan the network is of course "A Good Thing".
My quick rundown on finding this bugger on your network:
Download nmap 4.85BETA5
http://download.insecure.org/nmap-dist/ … A5.tar.bz2
bzip2 -cd nmap-4.85BETA5.tar.bz2 | tar xvf -
cd nmap-4.85BETA5
./configure
make
su root
make install
To scan for Conficker, use a command such as:
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
http://seclists.org/nmap-dev/2009/q1/0869.html
http://download.insecure.org/nmap-dist/
How to use Nmap to scan very large networks for Conficker
http://seclists.org/nmap-dev/2009/q1/0869.html
I highlighted the "interesting sections you should look for on your scans in red.
Nmap version 4.85BETA5 ( http://nmap.org )
45 \use@Jughead ~]$ /usr/local/bin/nmap -sC --script=smb-check-vulns --script-args=safe=1 -p4
> -d -PN -n -T4 --min-hostgroup 256 --min-parallelism 64 \
> -oA conficker_scan 192.168.1.1-24Warning: You specified a highly aggressive --min-hostgroup.
Starting Nmap 4.85BETA5 ( http://nmap.org ) at 2009-03-31 10:16 CDT
--------------- Timing report ---------------
hostgroups: min 256, max 100000
rtt-timeouts: init 500, min 100, max 1250
max-scan-delay: TCP 10, UDP 1000
parallelism: min 64, max 64
max-retries: 6, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Connect Scan at 10:16
Scanning 24 hosts [1 port/host]
Discovered open port 445/tcp on 192.168.1.5
Increased max_successful_tryno for 192.168.1.5 to 1 (packet drop)
Completed Connect Scan at 10:16, 0.20s elapsed (24 total ports)
Overall sending rates: 223.92 packets / s.
NSE: Initiating script scanning.
NSE: Script scanning 24 hosts.
NSE: Initialized 1 rules
NSE: Matching rules.
NSE: Running scripts.
NSE: Runlevel: 2.000000
Initiating NSE at 10:16
Running 1 script threads:
NSE (0.397s): Starting smb-check-vulns against 192.168.1.5.
NSE: SMB: Extended login as \guest failed (NT_STATUS_NO_LOGON_SERVERS)
NSE: SMB: Extended login as \<blank> succeeded
NSE (3.026s): Finished smb-check-vulns against 192.168.1.5.
Completed NSE at 10:16, 2.63s elapsed
NSE: Script scanning completed.
Host 192.168.1.1 appears to be up ... good.
Scanned at 2009-03-31 10:16:26 CDT for 0s
Interesting ports on 192.168.1.1:
PORT STATE SERVICE REASON
445/tcp closed microsoft-ds conn-refused
Final times for host: srtt: 1317 rttvar: 5000 to: 100000Host 192.168.1.2 appears to be up ... good.
Scanned at 2009-03-31 10:16:26 CDT for 1s
Interesting ports on 192.168.1.2:
PORT STATE SERVICE REASON
445/tcp filtered microsoft-ds no-response
Final times for host: srtt: -1 rttvar: -1 to: 500000Host 192.168.1.3 appears to be up ... good.
Scanned at 2009-03-31 10:16:26 CDT for 0s
Interesting ports on 192.168.1.3:
PORT STATE SERVICE REASON
445/tcp closed microsoft-ds conn-refused
Final times for host: srtt: 565 rttvar: 5000 to: 100000Host 192.168.1.4 appears to be up ... good.
Scanned at 2009-03-31 10:16:26 CDT for 1s
Interesting ports on 192.168.1.4:
PORT STATE SERVICE REASON
445/tcp filtered microsoft-ds no-response
Final times for host: srtt: -1 rttvar: -1 to: 500000Host 192.168.1.5 appears to be up ... good.
Scanned at 2009-03-31 10:16:26 CDT for 3s
Interesting ports on 192.168.1.5:
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ackHost script results:
| smb-check-vulns:
| MS08-067: NOT RUN
| Conficker: Likely CLEAN
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
Final times for host: srtt: 3977 rttvar: 5000 to: 100000Host 192.168.1.6 appears to be up ... good.
Scanned at 2009-03-31 10:16:26 CDT for 0s
Interesting ports on 192.168.1.6:
PORT STATE SERVICE REASON
445/tcp closed microsoft-ds conn-refused
Final times for host: srtt: 1728 rttvar: 5000 to: 100000Host 192.168.1.7 appears to be up ... good.
Scanned at 2009-03-31 10:16:26 CDT for 1s
Interesting ports on 192.168.1.7:
PORT STATE SERVICE REASON
445/tcp filtered microsoft-ds no-response
Final times for host: srtt: -1 rttvar: -1 to: 500000
edit: Interesting timeline of conficker: http://lastwatchdog.com/evolution-confi … ning-worm/
Last edited by crouse (2009-03-31 20:35:03)
Offline
If you're scanning a lot of hosts, you can grep -i for either 'conficker' or 'infected' to just get the juicy details.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
bzip2 -cd nmap-4.85BETA5.tar.bz2 | tar xvf - cd nmap-4.85BETA5 ./configure make su root make install
NO! Please do not give out bad advice like this. All it takes is to get the PKGBUILD from abs, bump the pkgver to 4.85BETA5, change the source to use .tar.bz2 instead of .tgz, update the md5sums, then makepkg, and all works. Do NOT manually compile it.
Also, I've mailed the updated PKGBUILD to huge, so hopefully we should see a new version in repos soon.
[git] | [AURpkgs] | [arch-games]
Offline
Not necessarily bad advice, there's nothing wrong with doing that if you understand what you're doing
In this case, it goes to /usr/local by default and won't conflict with anything. A make uninstall usually gets rid of it.
No need to install though, just run ./nmap from the built src directory.
Offline
Daenyth, conflicker wasn't as much of threat as previously thought, but if it had been, your repo solution would have been too late to do much good.
fukawi2 --- grep -i wouldn't show much........ just clean or infected, not the ip's
grep -B 10 "Conficker" < results
would actually show what you needed from any machines that had hits.
Last edited by crouse (2009-04-03 04:56:58)
Offline
fukawi2 --- grep -i wouldn't show much........ just clean or infected, not the ip's
You must get different output to me
# nmap --script=smb-check-vulns --script-args=safe=1 -p445 -PN -d 192.168.0.0/24 | grep Conficker
| Conficker: 192.168.0.1 Likely INFECTED
| Conficker: 192.168.0.2 Likely CLEAN
| Conficker: 192.168.0.3 Likely INFECTED
| Conficker: 192.168.0.4 Likely INFECTED
| Conficker: 192.168.0.5 Likely INFECTED
| Conficker: 192.168.0.6 Likely INFECTED
| Conficker: 192.168.0.7 Likely INFECTED
| Conficker: 192.168.0.8 Likely INFECTED
| Conficker: 192.168.0.9 Likely INFECTED
Last edited by fukawi2 (2009-04-03 06:24:34)
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
Yes I did, my output is shown above.
Offline
Daenyth, conflicker wasn't as much of threat as previously thought, but if it had been, your repo solution would have been too late to do much good.
FYI crouse - daenyth didn't suggest a "repo solution", he simply advised building an Arch package instead of installing directly from source. It's not going to take any longer than your suggestion, and in general, packages are preferred over source installs on systems with effective package management.
Offline
I simply meant that the "official" PKGBUILD was going to be too late for scanning at that point. Sorry Daenyth, I didn't word that very well at all though. What I get for staying up too late
Offline
# nmap --script=smb-check-vulns --script-args=safe=1 -p445 -PN -d 192.168.0.0/24
command i used at work:
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
*shrug* not sure if the 139 port is needed, but that is another port for SMB networking, and it was referenced in the nmap changelog.
http://nmap.org/changelog.html
Nmap 4.85BETA5 [2009-03-30]
o Ron (in just a few hours of furious coding) added remote detection
of the Conficker worm to smb-check-vulns. It is based on new
research by Tillmann Werner and Felix Leder. You can scan your
network for Conficker with a command like: nmap -PN -T4 -p139,445 -n
-v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline