Netbus attacks

  • Thread starter Thread starter JC
  • Start date Start date
J

JC

Hi,

I am seeing a rise in the number of netbus attacks reported by my firewall.
Netbus is described as a well known back door trojan.

I have seen 12 attacks here in the last week - normally I would see maybe 1 or 2
per month. All of the sending addresses are different.

Are others seeing this as well?
 
Big deal, my NAT Router sees 100's of thousands of port 445 hits per month.

Sounds like normal Internet background "noise" and your FireWall is doing its job. No
worries mate !

Dave



| Hi,
|
| I am seeing a rise in the number of netbus attacks reported by my firewall.
| Netbus is described as a well known back door trojan.
|
| I have seen 12 attacks here in the last week - normally I would see maybe 1 or 2
| per month. All of the sending addresses are different.
|
| Are others seeing this as well?
|
| --
|
| Cheers . . . JC
 
You're right, David, that my firewall is doing its job and I don't need to worry
about the netbus attacks. My numbers are also small by comparison - I see
around 2000 hits per month here.

I was intrigued that these attacks had suddenly ramped up in number and wondered
why this would be happening. It can't be just coincidence that they all just
found my IP address.
 
Hi guys,

I'm a ISP engineer in Nigeria. For the past 2 weeks, I
have noticed a steady increase in traffic on port 445 TCP
on one of my networks. This has virtually crippled file
sharing and printing for the network (a cybercafe). The
rate of traffic is more than 50 times the traffic for
HTTP. There is a Linux ICS for the network with a third-
party firewall (shorewall) on it.

Using Process Explorer on some of the systems, I found an
application (msrepair.exe) to be responsible for all the
traffic. Deleting the application didnt seem to do much
as it always appeared right back again. I use Panda
Antivirus 6.0 which is updated everyday from the Net.
However it doesnt seem to find any virus associated with
the process. I then tried to update Windows and i noticed
that traffic ceased on some of the PCs but not all of
them. So the traffic still persists and it's grinding
network operations to a halt.

Any ideas? I'd really be grateful for any assistance
anyone might be able to offer.
Rgds,
Dayo
PH, Nigeria
 
You need to implement a FireWall. Even a NAT Router will work.

As always I suggest blocking BOTH TCP and UDP ports 135 ~ 139 and 445 on any NAT Router.

Dave




| Hi guys,
|
| I'm a ISP engineer in Nigeria. For the past 2 weeks, I
| have noticed a steady increase in traffic on port 445 TCP
| on one of my networks. This has virtually crippled file
| sharing and printing for the network (a cybercafe). The
| rate of traffic is more than 50 times the traffic for
| HTTP. There is a Linux ICS for the network with a third-
| party firewall (shorewall) on it.
|
| Using Process Explorer on some of the systems, I found an
| application (msrepair.exe) to be responsible for all the
| traffic. Deleting the application didnt seem to do much
| as it always appeared right back again. I use Panda
| Antivirus 6.0 which is updated everyday from the Net.
| However it doesnt seem to find any virus associated with
| the process. I then tried to update Windows and i noticed
| that traffic ceased on some of the PCs but not all of
| them. So the traffic still persists and it's grinding
| network operations to a halt.
|
| Any ideas? I'd really be grateful for any assistance
| anyone might be able to offer.
| Rgds,
| Dayo
| PH, Nigeria
|
|
|
| >-----Original Message-----
| >You're right, David, that my firewall is doing its job
| and I don't need to worry
| >about the netbus attacks. My numbers are also small by
| comparison - I see
| >around 2000 hits per month here.
| >
| >I was intrigued that these attacks had suddenly ramped
| up in number and wondered
| >why this would be happening. It can't be just
| coincidence that they all just
| >found my IP address.
| >
| >On Sun, 5 Dec 2004 20:42:14 -0500, "David H. Lipman"
| >
| >> Big deal, my NAT Router sees 100's of thousands of
| port 445 hits per month.
| >>
| >> Sounds like normal Internet background "noise" and
| your FireWall is doing its job. No
| >> worries mate !
| >>
| >> Dave
| >>
| >>
| >>
| >> | >> | Hi,
| >> |
| >> | I am seeing a rise in the number of netbus attacks
| reported by my firewall.
| >> | Netbus is described as a well known back door trojan.
| >> |
| >> | I have seen 12 attacks here in the last week -
| normally I would see maybe 1 or 2
| >> | per month. All of the sending addresses are
| different.
| >> |
| >> | Are others seeing this as well?
| >> |
| >> | --
| >> |
| >> | Cheers . . . JC
| >>
| >
| >--
| >
| >Cheers . . . JC
| >.
| >
 
Thanks!

I installed a firewall (shorewall) there and it's blocking the TCP 445 port
where there is so much traffic. I'm worried about the traffic on the inside
of the network. It's really slowing down browsing speed on that network. I
have even installed SP2 on all the systems there but some PCs, still send
traffic.

Any other ideas please? Thanxs for your help.

Rgds
Dayo
 
dayo said:
Thanks!

I installed a firewall (shorewall) there and it's blocking the
TCP 445 port
where there is so much traffic. I'm worried about the traffic
on the inside
of the network. It's really slowing down browsing speed on
that network. I
have even installed SP2 on all the systems there but some PCs,
still send
traffic.

Any other ideas please? Thanxs for your help.

Rgds
Dayo
Click to expand...

We were hit with new variant of TROJ_CLICKER.F this week and were
getting messages in the logs that infected machines using port 445 to
propagate the trojan. After running virus scans, spyware removal and
manual steps we’ve finally gotten the outbreak controlled. Trend
Micro examined our files we submitted and found the new variant and
have released a new virus definition(2.287.00) that removes
msrepair.exe if infected.

The problem remaining is that the exploit was blended. We have lots
of spyware that was installed many of which require manual removal.

Make sure your MS security patches up to date and the advice above for
blocking the NB ports is good practice!
 
Many Thanks donog1 and David Lipman.

Problems sorted out with your invaluable help.


Dayo

P.S Is trendmicro a better antivirus than panda anitvirus? I use panda and
they dont seem to have anything on TROJ_CLICKER.

Thnxs again.
 
Personally -- I like McAfee corp. software.

Dave




| Many Thanks donog1 and David Lipman.
|
| Problems sorted out with your invaluable help.
|
|
| Dayo
|
| P.S Is trendmicro a better antivirus than panda anitvirus? I use panda and
| they dont seem to have anything on TROJ_CLICKER.
|
| Thnxs again.
|
| "danog1" wrote:
|
| > "dayo" wrote:
| > > Thanks!
| > >
| > > I installed a firewall (shorewall) there and it's blocking the
| > > TCP 445 port
| > > where there is so much traffic. I'm worried about the traffic
| > > on the inside
| > > of the network. It's really slowing down browsing speed on
| > > that network. I
| > > have even installed SP2 on all the systems there but some PCs,
| > > still send
| > > traffic.
| > >
| > > Any other ideas please? Thanxs for your help.
| > >
| > > Rgds
| > > Dayo
| > >
| > > "JC" wrote:
| > >
| > > > Hi,
| > > >
| > > > I am seeing a rise in the number of netbus attacks reported
| > > by my firewall.
| > > > Netbus is described as a well known back door trojan.
| > > >
| > > > I have seen 12 attacks here in the last week - normally I
| > > would see maybe 1 or 2
| > > > per month. All of the sending addresses are different.
| > > >
| > > > Are others seeing this as well?
| > > >
| > > > --
| > > >
| > > > Cheers . . . JC
| > > >
| >
| > We were hit with new variant of TROJ_CLICKER.F this week and were
| > getting messages in the logs that infected machines using port 445 to
| > propagate the trojan. After running virus scans, spyware removal and
| > manual steps we've finally gotten the outbreak controlled. Trend
| > Micro examined our files we submitted and found the new variant and
| > have released a new virus definition(2.287.00) that removes
| > msrepair.exe if infected.
| >
| > The problem remaining is that the exploit was blended. We have lots
| > of spyware that was installed many of which require manual removal.
| >
| > Make sure your MS security patches up to date and the advice above for
| > blocking the NB ports is good practice!
| >
| > --
| > http://www.WindowsForumz.com/ This article was posted by author's request
| > Articles individually checked for conformance to usenet standards
| > Topic URL: http://www.WindowsForumz.com/Security-Admin-Netbus-attacks-ftopict233700.html
| > Visit Topic URL to contact author (reg. req'd). Report abuse:
http://www.WindowsForumz.com/eform.php?p=711913
| >
 
David H. Lipman said:
Personally -- I like McAfee corp. software.

Dave




| Many Thanks donog1 and David Lipman.
|
| Problems sorted out with your invaluable help.
|
|
| Dayo
|
| P.S Is trendmicro a better antivirus than panda anitvirus? I
use panda and
| they dont seem to have anything on TROJ_CLICKER.
|
| Thnxs again.
|
| "danog1" wrote:
|
| > "dayo" wrote:
| > > Thanks!
| > >
| > > I installed a firewall (shorewall) there and it's
blocking the
| > > TCP 445 port
| > > where there is so much traffic. I'm worried about the
traffic
| > > on the inside
| > > of the network. It's really slowing down browsing speed
on
| > > that network. I
| > > have even installed SP2 on all the systems there but
some PCs,
| > > still send
| > > traffic.
| > >
| > > Any other ideas please? Thanxs for your help.
| > >
| > > Rgds
| > > Dayo
| > >
| > > "JC" wrote:
| > >
| > > > Hi,
| > > >
| > > > I am seeing a rise in the number of netbus attacks
reported
| > > by my firewall.
| > > > Netbus is described as a well known back door trojan.
| > > >
| > > > I have seen 12 attacks here in the last week -
normally I
| > > would see maybe 1 or 2
| > > > per month. All of the sending addresses are
different.
| > > >
| > > > Are others seeing this as well?
| > > >
| > > > --
| > > >
| > > > Cheers . . . JC
| > > >
| >
| > We were hit with new variant of TROJ_CLICKER.F this week
and were
| > getting messages in the logs that infected machines using
port 445 to
| > propagate the trojan. After running virus scans, spyware
removal and
| > manual steps we've finally gotten the outbreak controlled.
Trend
| > Micro examined our files we submitted and found the new
variant and
| > have released a new virus definition(2.287.00) that
removes
| > msrepair.exe if infected.
| >
| > The problem remaining is that the exploit was blended. We
have lots
| > of spyware that was installed many of which require manual
removal.
| >
| > Make sure your MS security patches up to date and the
advice above for
| > blocking the NB ports is good practice!
| >
| > --
| > http://www.WindowsForumz.com/ This article was posted by
author's request
| > Articles individually checked for conformance to usenet
standards
| > Topic URL:
http://www.WindowsForumz.com/Security-Admin-Netbus-attacks-ftopict233700.html
| > Visit Topic URL to contact author (reg. req'd). Report
abuse:
http://www.WindowsForumz.com/eform.php?p=711913
| >
Click to expand...

I’ve used Symantec AV for 7 years after using Mcafee for 3 prior and
during that period I’d have to say Symantec never let us down.

I’ve since changed companies and now use Trend and I’ve not had good
experiences with them although they should be considered amoung the
top antivirus products.

Unfortunetely you’re going to find that everyone will have different
opinions and you’ll be best trying each as a demo and select the one
you feel has the best interface/functionality and a reputation for
fast repsonse on new exploits.
 
Back
Top