New version of Stubler?

[deck7uk]

Hi people,

At our company we have been experiencing some very odd problems recently. All of our desktops (approx 70) are protected by Panda (latest adminsecure/clientshield combo) and all our laptops (10) are protected by Avast.

This week we had an outbreak of sdbot on the desktops and a few occurences of sasser and something called trojan.gen on the laptops. How these got past avast/panda is a bit odd. We have also been having network problems. Specifically a whole lot of what appears to be random port scanning on ports we would not normally use. We are positive this is coming from somewhere internally and have gone to the extent of moving down to only using one switch with no access to the outside world....ie turned off the router! we have also cut off every machine and brought them on one by one to try and catch the wee blighter but as we discovered it does not start straight away all the time and so were unable to identify the host machine.

Does anybody have any suggestions of where/how to catch and stop this activity.....if it is not a variant of stumbler...anyone have any other thoughts?

Any help is much appreciated.

Thanks.

Chris

[deck7uk]

sorry, title should have said "New version of Stumbler?"

[raman]

If you use a router, why do not try to block the scaned Ports? And what do you call
"Stumbler"? Identify the Ports and take a look at the desktops which Programm uses this ports.  You could use http://www.sysinternals.com/ntw2k/source/tcpview.shtml for that. If you can identify the file send it to Avast, or Panda......

But as alwayse, using a clean Backup is recommended.....

[deck7uk]

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci911816,00.html

this is where I read about stumbler.

The fact that the port scanning seems random and the scans appear to come from ever changing places (spoofed most likely) makes it difficult to narrow down.

[whocares]

How about applying all Windowsupdates ?
and best changing all passwords (at least definitely for those PCs that got infected or did initiate portscans..!!! )

What OS/Win-Versions are used anyway ??

[deck7uk]

nearly all are winxp pro...couple of nt/winme versions. all are up to date and all av software is up to date.

all servers are running SuSE Linux (varying versions from 8 - 9.1).

the problem with identifying the machines is that the ip from which the scan comes from keeps changing.....and even comes from/scans ip's that dont exist....very odd!

thanks for the info tho.

[whocares]

and a few occurences of sasser

at least some WIN-(XP)-machines weren't definitely uptodate THEN, otherwise no sasser-infection would have been possible..
I hope they are now ?

P.S.: the first real samples of STUMBLER were linux binaries..
you checked the suse-servers ?

read: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100406


P.P.S.: Also most SDBOTs (700+ variants and counting) are network-worms which spread through KNOWN&FIXED Windows-Security holes and via weak passwords !!!
http://vil.nai.com/vil/content/v_100454.htm

so disregarding whether STUMBLER is active in your network or not, you should secure it better..

 

[deck7uk]

cheers for the pointer!

yes some xp machines were not set to auto update....they are now  

Thanks

Chris

[deck7uk]

no file called 'r' on any of the servers. hmmmm perhaps we are looking at something else then. cheers for the tips guys.

Chris