Topic: what log's should I check for conficker activity

[mazkot]

Hi,

One of our remote sites had 3 pcs affected with conficker via USB.

It has an SME 7.4 running as
-DHCP Server
-File Server
-Proxy server
Installed
-Dansguardian

Aside from dansguardian, squid and qpsmtp logs.

What logs should also check?

we already disable all usb ports for added security.

thanks

[jester]

Don't know about the logs, but if you download Nmap you can scan your network for infected pc's (see the Conficker announcement on the frontpage for info).

HTH.

[chris burnat]

Don't know about the logs, but if you download Nmap you can scan your network for infected pc's (see the Conficker announcement on the frontpage for info).
HTH.

Go to the command line of your SME server and type:

Code: [Select]

[root@mysmeserver~]# nmapIt is already installed on SME.

Also check the manpages:

Code: [Select]

[root@mysmeserver ~]# man nmap

[jester]

Hmmm... I don't think Nmap is installed in SME by default.

[chris burnat]

Hmmm... I don't think Nmap is installed in SME by default.

You are correct, you need to install with yum from the Base repository:

Code: [Select]

[root@test8 ~]# yum list available | grep nmap
nmap.i386                                2:4.11-1.1                   base     
nmap-frontend.i386                       2:4.11-1.1                   base     


[Stefano]

You are correct, you need to install with yum from the Base repository:

Code: [Select]

[root@test8 ~]# yum list available | grep nmap
nmap.i386                                2:4.11-1.1                   base     
nmap-frontend.i386                       2:4.11-1.1                   base     


mmmhhh... Chris.. you are showing the available version for SME8, aren't you?

because on a server of mine (SME 7.4) I see:

Code: [Select]

[root@e-smith ~]# yum list available | grep nmap
nmap.i386                                2:3.70-1               base           
nmap-frontend.i386                       2:3.70-1               base   

Ciao
Stefano

[cactus]

Hmmm... I don't think Nmap is installed in SME by default.

True AFAIK namp is not part of the base installation. You can however install it like this:

Code: [Select]

yum install nmap

[janet]

chris burnat & others

What's the point of installing nmap on sme re the conficker virus ?

From what I read conficker is a Windows virus attacking specific vulnerabilities in Windows OS's. Surely it's the Windows PC that needs virus software installed.
See
http://en.wikipedia.org/wiki/Conficker
and many other sites

[chris burnat]

chris burnat & others

What's the point of installing nmap on sme re the conficker virus ?

From what I read conficker is a Windows virus attacking specific vulnerabilities in Windows OS's. Surely it's the Windows PC that needs virus software installed.
See
http://en.wikipedia.org/wiki/Conficker
and many other sites

nmap is not a virus software, but I am sure you know this.  With nmap, one can scan remote machines and check which ports are open.  Checking what is happening with ports on a network is good practice.  For example, checking workstations by o/s and keeping a records of nmap output can be very useful if and when strange happenings take place. Having nmap on SME is thus a good idea.  Mind you, the version shipped from the Base repo is a bit old, it does not appear to support the --script argument for example.  An update would not go astray, I have not looked into this yet.

[chris burnat]

As an illustration, I just installed latest nmap (4.85beta) on sme8:

Code: [Select]

[root@test8 ~]# rpm -vhU http://nmap.org/dist/nmap-4.85BETA8-1.i386.rpm
Retrieving http://nmap.org/dist/nmap-4.85BETA8-1.i386.rpm
Preparing...                ########################################### [100%]
   1:nmap                   ########################################### [100%]

And tested for conficker on a WINXP workstation on the network - not done yet for 7.4:

Code: [Select]

[root@test8 ~]# nmap -PN -T4 -p139,445 -n -v --script smb-check-vulns,smb-os-discovery --script-args safe=1 192.168.0.6

Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-05-05 12:28 EST
NSE: Loaded 2 scripts for scanning.
Initiating ARP Ping Scan at 12:28
Scanning 192.168.0.6 [1 port]
Completed ARP Ping Scan at 12:28, 0.01s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 12:28
Scanning 192.168.0.6 [2 ports]
Discovered open port 445/tcp on 192.168.0.6
Discovered open port 139/tcp on 192.168.0.6
Completed SYN Stealth Scan at 12:28, 0.01s elapsed (2 total ports)
NSE: Script scanning 192.168.0.6.
NSE: Starting runlevel 1 scan
Initiating NSE at 12:28
Completed NSE at 12:28, 0.09s elapsed
NSE: Starting runlevel 2 scan
Initiating NSE at 12:28
Completed NSE at 12:28, 0.17s elapsed
NSE: Script Scanning completed.
Host 192.168.0.6 is up (0.00071s latency).
Interesting ports on 192.168.0.6:
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:11:11:24:F9:5B (Intel)

Host script results:
|  smb-os-discovery: Windows XP
|  LAN Manager: Windows 2000 LAN Manager
|  Name: ROZELLE\DAW
|_ System time: 2009-05-05 12:28:44 UTC+10
|  smb-check-vulns: 
|  MS08-067: Check disabled (remove 'safe=1' argument to run)
|  Conficker: Likely CLEAN
|_ regsvc DoS: Check disabled (add --script-args=unsafe=1 to run)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.80 seconds
           Raw packets sent: 3 (130B) | Rcvd: 3 (130B)




[janet]

chris burnat

OK I see the point now. Thanks for the "pointers".

[CharlieBrady]

Checking what is happening with ports on a network is good practice.

Perhaps it is, but so is handwashing.

Does nmap detect conficker activity? If so, which version, and how must it be used to do so?

[janet]

Charlie

See
http://insecure.org/#conficker

[CharlieBrady]

Does nmap detect conficker activity?

And even if it can, are there easier ways for folk to detect and clean infected Windows boxen?

[janet]

Charlie

Here's one proprietary brand, with a link to download a Removal tool
http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20090331164714EN&selected_nav=partner

I'm sure other AVs have their versions of removal tools.