Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
288
Views
0
Helpful
3
Replies

2156 Nachi ICMP Echo Request Question

pbobby
Level 1
Level 1

‎12-09-2003 06:17 AM - edited ‎03-09-2019 05:48 AM

Before we enabled this signature, we would catch MSBlaster/Nachi infected machines using the 3327 (RPC DCOM Overflow) and 3328 (SMB/RPC NoOp Sled) signatures.

Now that 2156 is enabled, infected machines trigger all three.

My question is this however. Sometimes we get machines that just trigger 2156 and none others. In fact in a 30 minute period, a source machine could easily generate 30,000+ 2156sig events.

So I'm wondering, since the other two signatures are never triggered, what exactly is going on with these machines? Is there some mutation, or other worm, out there that pings, or has re-used the pinging code from Nachi?

When we find these suspect machines, we run scanms.exe/retina.exe etc against them, and they are sometimes reported as patched (which leads me to believe that something else is going on).

Any assistance is much appreciated, thanks.

Labels:
0 Helpful
3 Replies 3

anthall
Level 1
Level 1

‎12-09-2003 12:33 PM

This is classic Nachi. The machine infects a vulnerable host, patches it, trys to infect others...then stops...all the while it is spewing the Nachi Echo Request packets which never stop.

These boxes are infected with Nachi, but are not vulnerable...just noisy in terms of the network.

0 Helpful

pbobby
Level 1
Level 1
In response to anthall

‎12-09-2003 01:32 PM

I understand that machines can remain infected even though patched.

My question was that so far, all identified Nachi infections trigger three signatures (the ones mentioned above).

BUT periodically we see machines that just trigger the 2156 signature and no others. And so I was wondering if this can be classed as Nachi in such a black and white manner, or if there indeed may be something else going on.

0 Helpful

pbobby
Level 1
Level 1
In response to pbobby

‎12-09-2003 01:40 PM

Just as a note, could this be the Nachi patcher worm? It perhaps uses the same discovery mechanism as Nachi (hence the 2156 signature match), but does not trigger the other DCOM signatures.

Is this plausible? I can't remember what this was called, or if there was one.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents