At our company we have been experiencing some very odd problems recently. All of our desktops (approx 70) are protected by Panda (latest adminsecure/clientshield combo) and all our laptops (10) are protected by Avast.
This week we had an outbreak of sdbot on the desktops and a few occurences of sasser and something called trojan.gen on the laptops. How these got past avast/panda is a bit odd. We have also been having network problems. Specifically a whole lot of what appears to be random port scanning on ports we would not normally use. We are positive this is coming from somewhere internally and have gone to the extent of moving down to only using one switch with no access to the outside world…ie turned off the router! we have also cut off every machine and brought them on one by one to try and catch the wee blighter but as we discovered it does not start straight away all the time and so were unable to identify the host machine.
Does anybody have any suggestions of where/how to catch and stop this activity…if it is not a variant of stumbler…anyone have any other thoughts?
If you use a router, why do not try to block the scaned Ports? And what do you call
“Stumbler”? Identify the Ports and take a look at the desktops which Programm uses this ports. You could use http://www.sysinternals.com/ntw2k/source/tcpview.shtml for that. If you can identify the file send it to Avast, or Panda…
But as alwayse, using a clean Backup is recommended…
The fact that the port scanning seems random and the scans appear to come from ever changing places (spoofed most likely) makes it difficult to narrow down.
How about applying all Windowsupdates ?
and best changing all passwords (at least definitely for those PCs that got infected or did initiate portscans…!!! )
nearly all are winxp pro…couple of nt/winme versions. all are up to date and all av software is up to date.
all servers are running SuSE Linux (varying versions from 8 - 9.1).
the problem with identifying the machines is that the ip from which the scan comes from keeps changing…and even comes from/scans ip’s that dont exist…very odd!
P.P.S.: Also most SDBOTs (700+ variants and counting) are network-worms which spread through KNOWN&FIXED Windows-Security holes and via weak passwords !!! http://vil.nai.com/vil/content/v_100454.htm
so disregarding whether STUMBLER is active in your network or not, you should secure it better…