locked
What steps are you taking to find out if you have the Conflicker worm on your Windows Homer Server and network? RRS feed

  • General discussion

  • Looks like they have found out how to detect the conflicker worm....

    http://www.theregister.co.uk/2009/03/30/conficker_signature_discovery/

    On of the tools that they have suggest to use to check your network is nmap which you can download the beta version that they have build in some Conflicker handling into

    http://nmap.org/download.html


    Download the most current nmap-4.85BETA5-setup.exe

    Intall it on one of the client pcs:

    Here are some instructions:

    http://seclists.org/nmap-dev/2009/q1/0869.html

    http://www.doxpara.com/

    Here is the command that I used to check my network of mixed Windows and Linux PC's


    nmap -sC --script=smb-check-vulns --script-args=safe=1 -p445  -d -PN -n -T4 --min-hostgroup 256 --min-parallelism 64  -oA conficker_scan 192.168.2.*

    (Note: my network is in tht erange 192.168.2.1 to 192.168.2.255  Yours may be different and you need to change the end of the command line above)


    Some of the sample results:

    Host 192.168.2.2 appears to be up ... good.
    Scanned at 2009-03-30 19:27:29 Newfoundland Daylight Time for 0s
    Interesting ports on 192.168.2.2:
    PORT    STATE SERVICE      REASON
    445/tcp open  microsoft-ds syn-ack
    MAC Address: 00:1C:C0:8E:41:DC (Intel Corporate)

    Host script results:
    |  smb-check-vulns:
    |  MS08-067: NOT RUN
    |  Conficker: Likely CLEAN
    |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
    Final times for host: srtt: 0 rttvar: 3750  to: 100000

    Host 192.168.2.11 appears to be up ... good.
    Scanned at 2009-03-30 19:27:29 Newfoundland Daylight Time for 0s
    Interesting ports on 192.168.2.11:
    PORT    STATE SERVICE      REASON
    445/tcp open  microsoft-ds syn-ack
    MAC Address: 00:11:D8:30:D0:52 (Asustek Computer)

    Host script results:
    |  smb-check-vulns:
    |  MS08-067: NOT RUN
    |  Conficker: Likely CLEAN
    |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
    Final times for host: srtt: 0 rttvar: 3750  to: 10
    0000

    So looks like I am ok....

    What are you doing to check on your networks?
    Monday, March 30, 2009 10:02 PM

All replies

  • <What are you doing to check on your networks?>
    Frankly, nothing.  I keep my machines patched, and try to keep my other users here educated about what to not do.
    MS did patch that vulnerability back in October, after all......

    -Chris


    [If this post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster.]
    Tuesday, March 31, 2009 12:28 AM
  • <What are you doing to check on your networks?>
    Frankly, nothing.  I keep my machines patched, and try to keep my other users here educated about what to not do.
    MS did patch that vulnerability back in October, after all......

    -Chris


    [If this post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster.]
    Interesting, I keep my machines patched also but with Linux, OSX and windows on the network plus who knows what comes in on the laptops that have been connected to corporate networks overseas, I am not so confident in microsofts patches as to do nothing.

     I prefer to check!
    Tuesday, March 31, 2009 1:19 AM