recording hits on port 445

Toggle sidebar Toggle sidebar
K

KpocAlypse

Golden Member
Jan 10, 2001
1,798
0
0
Anyone know of a freeware utility that will watch and log hits on a PC from port 445 (the DCOM RPC virus port?) watching LSASS traffic wouldn't be that bad either.

Long story short, I'm fighting SDbot on a fairly large scale. :)
 
I

InlineFive

Diamond Member
Sep 20, 2003
9,599
2
0
If you are using the Windows firewall you can log activity. In addition, you could even block the port to help reduce the amount of time required to eliminate the infection.
 
K

KpocAlypse

Golden Member
Jan 10, 2001
1,798
0
0
yea, my problem comes down to.. 3k PCs that are not under our direct control, some know what Windows Update is, some don't. So Sdbot is getting quite plentiful. MY thought was just takeing a laptop, installing some sort of application that will watch for hits on that port, and sit it on a VLAN for 20-30 minutes.

And its driveing our NBAR implementation nuts.

EDIT: SNORT was my first guess, but i was hoping on something abit well, idoit proof.
 
I

InlineFive

Diamond Member
Sep 20, 2003
9,599
2
0
If it's 3k PCs I would hope that the admins had a better control over then, 3k administrator accounts is bad thing.

If they had managed switches I would tell the switches to block all 445 traffic. Period. This would stop it from spreading any more once you clean a PC.
Get a good anti-malware solution from someone like Trend.
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Originally posted by: PorBleemo
If it's 3k PCs I would hope that the admins had a better control over then, 3k administrator accounts is bad thing.

If they had managed switches I would tell the switches to block all 445 traffic. Period. This would stop it from spreading any more once you clean a PC.
Get a good anti-malware solution from someone like Trend.
Click to expand...

and probably break a whole bunch of stuff in the process. windows needs 445.

there are scanners out there to see what machines have and haven't been patched.

iss.net makes a good one (retina) and even microsoft has a scanner for that vulnerability I believe.
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: spidey07
Originally posted by: PorBleemo
If it's 3k PCs I would hope that the admins had a better control over then, 3k administrator accounts is bad thing.

If they had managed switches I would tell the switches to block all 445 traffic. Period. This would stop it from spreading any more once you clean a PC.
Get a good anti-malware solution from someone like Trend.
Click to expand...

and probably break a whole bunch of stuff in the process. windows needs 445.

there are scanners out there to see what machines have and haven't been patched.

iss.net makes a good one (retina) and even microsoft has a scanner for that vulnerability I believe.
Click to expand...

The more I use them the less and less I like vulnerability scanners.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom