Kilo detected
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
Kilo detected - 15.Jan.2009 11:05:41 AM
|
|
|
aspinc
Posts: 2
Joined: 15.Jan.2009
Status: offline
|
When scanning our network. We are getting several machines detected with a trojan Kilo, apparently a backdoor trojan. We have scanned with several tools and not found anything on these PC's. Could something else be causing this?
|
|
|
|
|
RE: Kilo detected - 15.Jan.2009 11:56:59 AM
|
|
|
thax
Posts: 36
Joined: 10.Mar.2006
From: Washington, DC
Status: offline
|
I've also seen this since upgrading to version 9, specifically on ports 6666 and 6667. We've had our network scanned with various products by outside auditors and GFI is the only one that reports Kilo.
|
|
|
|
|
RE: Kilo detected - 16.Jan.2009 5:37:43 AM
|
|
|
stelim
Posts: 78
Joined: 22.Aug.2005
Status: offline
|
Can you run "netstat -a -b" in cmd on one of the scanned computers and check whether 6666 or 6667 is reported open. If so, what is the name of the service/executable involved?
|
|
|
|
|
RE: Kilo detected - 5.Feb.2009 11:31:25 AM
|
|
|
infra@digipix.com.br
Posts: 2
Joined: 5.Feb.2009
Status: offline
|
Hello Stelim,
I'm evaluating GFI Languard for 60 computars and most of them I got this false-positive. I also scanned with other security products and only GFI give me this result. When I ran netstat, neither of 6667 and 6668 ports were avalilabe (results follows). I really appreciate if you can give me a path to make a decision of use GFI in my company. Thanks!
Regards,
Marcelo
C:\Documents and Settings\Marcelo.Soares>netstat -a -b
Conexões ativas
Proto Endereço local Endereço externo Estado
TCP wks-msoares:echo wks-msoares.digipix.br:0 LISTENING 436
[tcpsvcs.exe]
TCP wks-msoares:discard wks-msoares.digipix.br:0 LISTENING 436
[tcpsvcs.exe]
TCP wks-msoares:daytime wks-msoares.digipix.br:0 LISTENING 436
[tcpsvcs.exe]
TCP wks-msoares:qotd wks-msoares.digipix.br:0 LISTENING 436
[tcpsvcs.exe]
TCP wks-msoares:chargen wks-msoares.digipix.br:0 LISTENING 436
[tcpsvcs.exe]
TCP wks-msoares:epmap wks-msoares.digipix.br:0 LISTENING 1212
C:\Arquivos de programas\Microsoft Firewall Client 2004\FwcWsp.dll
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\RPCRT4.dll
c:\windows\system32\rpcss.dll
-- componente(s) desconhecido(s) --
[svchost.exe]
TCP wks-msoares:microsoft-ds wks-msoares.digipix.br:0 LISTENING 4
[System]
TCP wks-msoares:1170 wks-msoares.digipix.br:0 LISTENING 3292
[languard.exe]
TCP wks-msoares:8081 wks-msoares.digipix.br:0 LISTENING 1468
[FrameworkService.exe]
TCP wks-msoares:1241 wks-msoares.digipix.br:0 LISTENING 512
[nessusd.exe]
TCP wks-msoares:5152 wks-msoares.digipix.br:0 LISTENING 1444
[jqs.exe]
TCP wks-msoares:netbios-ssn wks-msoares.digipix.br:0 LISTENING 4
[System]
TCP wks-msoares:netbios-ssn wks-msoares.digipix.br:0 LISTENING 4
[System]
TCP wks-msoares:3251 by1msg2145210.gateway.edge.messenger.live.com:1863 ESTABLISHED 2304
[MsnMsgr.Exe]
TCP wks-msoares:3419 el-in-f109.google.com:993 ESTABLISHED 3896
[OUTLOOK.EXE]
TCP wks-msoares:3602 server1.gfi.com:http ESTABLISHED 668
[iexplore.exe]
TCP wks-msoares:3703 tickettracker.digipix.br:ms-sql-s ESTABLISHED 792
[SqlWb.exe]
TCP wks-msoares:3778 server1.gfi.com:http ESTABLISHED 668
[iexplore.exe]
TCP wks-msoares:3782 el-in-f109.google.com:993 ESTABLISHED 3896
[OUTLOOK.EXE]
TCP wks-msoares:4054 tickettracker.digipix.br:ms-sql-s ESTABLISHED 792
[SqlWb.exe]
TCP wks-msoares:4655 dpxpd02.digipix.br:netbios-ssn ESTABLISHED 4
[System]
TCP wks-msoares:4658 el-in-f109.google.com:993 ESTABLISHED 3896
[OUTLOOK.EXE]
TCP wks-msoares:4677 dpxpd02.digipix.br:3389 ESTABLISHED 2772
[mstsc.exe]
TCP wks-msoares:5152 localhost:3591 CLOSE_WAIT 1444
[jqs.exe]
TCP wks-msoares:1497 a96-17-105-3.deploy.akamaitechnologies.com:http CLOSE_WAIT 2280
[jusched.exe]
TCP wks-msoares:3742 el-in-f109.google.com:993 TIME_WAIT 0
UDP wks-msoares:qotd *:* 436
[tcpsvcs.exe]
UDP wks-msoares:microsoft-ds *:* 4
[System]
UDP wks-msoares:chargen *:* 436
[tcpsvcs.exe]
UDP wks-msoares:4500 *:* 968
[lsass.exe]
UDP wks-msoares:isakmp *:* 968
[lsass.exe]
UDP wks-msoares:8082 *:* 1468
[FrameworkService.exe]
UDP wks-msoares:8081 *:* 1468
[FrameworkService.exe]
UDP wks-msoares:echo *:* 436
[tcpsvcs.exe]
UDP wks-msoares:daytime *:* 436
[tcpsvcs.exe]
UDP wks-msoares:discard *:* 436
[tcpsvcs.exe]
UDP wks-msoares:3627 *:* 3292
[languard.exe]
UDP wks-msoares:1028 *:* 968
[lsass.exe]
UDP wks-msoares:3856 *:* 668
[iexplore.exe]
UDP wks-msoares:3701 *:* 792
[SqlWb.exe]
UDP wks-msoares:1057 *:* 1904
[spoolsv.exe]
UDP wks-msoares:1026 *:* 1372
C:\Arquivos de programas\Microsoft Firewall Client 2004\FwcWsp.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\dhcpcsvc.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]
UDP wks-msoares:3855 *:* 668
[iexplore.exe]
UDP wks-msoares:1030 *:* 1524
C:\Arquivos de programas\Microsoft Firewall Client 2004\FwcWsp.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\DNSAPI.dll
c:\windows\system32\dnsrslvr.dll
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]
UDP wks-msoares:2759 *:* 640
[Explorer.EXE]
UDP wks-msoares:1900 *:* 1612
C:\Arquivos de programas\Microsoft Firewall Client 2004\FwcWsp.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]
UDP wks-msoares:4666 *:* 2772
[mstsc.exe]
UDP wks-msoares:2805 *:* 1552
[Mcshield.exe]
UDP wks-msoares:ntp *:* 1372
C:\Arquivos de programas\Microsoft Firewall Client 2004\FwcWsp.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
[svchost.exe]
UDP wks-msoares:1073 *:* 2304
[MsnMsgr.Exe]
UDP wks-msoares:3947 *:* 4124
[netstat.exe]
UDP wks-msoares:1139 *:* 3896
[OUTLOOK.EXE]
UDP wks-msoares:1077 *:* 912
[winlogon.exe]
UDP wks-msoares:1046 *:* 1468
[FrameworkService.exe]
UDP wks-msoares:2506 *:* 3896
[OUTLOOK.EXE]
UDP wks-msoares:1488 *:* 2280
[jusched.exe]
UDP wks-msoares:1050 *:* 1612
C:\Arquivos de programas\Microsoft Firewall Client 2004\FwcWsp.dll
c:\windows\system32\WS2_32.dll
C:\Arquivos de programas\Microsoft Firewall Client 2004\FwcWsp.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\lmhsvc.dll
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]
UDP wks-msoares:1054 *:* 436
[tcpsvcs.exe]
UDP wks-msoares:4741 *:* 3896
[OUTLOOK.EXE]
UDP wks-msoares:1027 *:* 1212
C:\Arquivos de programas\Microsoft Firewall Client 2004\FwcWsp.dll
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]
UDP wks-msoares:1031 *:* 968
[lsass.exe]
UDP wks-msoares:2758 *:* 640
[Explorer.EXE]
UDP wks-msoares:1078 *:* 912
[winlogon.exe]
UDP wks-msoares:1074 *:* 2304
[MsnMsgr.Exe]
UDP wks-msoares:2745 *:* 3292
[languard.exe]
UDP wks-msoares:2804 *:* 1552
[Mcshield.exe]
UDP wks-msoares:netbios-dgm *:* 4
[System]
UDP wks-msoares:ntp *:* 1372
C:\Arquivos de programas\Microsoft Firewall Client 2004\FwcWsp.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
[svchost.exe]
UDP wks-msoares:1900 *:* 1612
C:\Arquivos de programas\Microsoft Firewall Client 2004\FwcWsp.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]
UDP wks-msoares:ntp *:* 1372
C:\Arquivos de programas\Microsoft Firewall Client 2004\FwcWsp.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
[svchost.exe]
UDP wks-msoares:netbios-ns *:* 4
[System]
UDP wks-msoares:netbios-dgm *:* 4
[System]
UDP wks-msoares:netbios-ns *:* 4
[System]
UDP wks-msoares:1900 *:* 1612
C:\Arquivos de programas\Microsoft Firewall Client 2004\FwcWsp.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]
C:\Documents and Settings\Marcelo.Soares>
|
|
|
|
|
RE: Kilo detected - 5.Feb.2009 11:39:25 AM
|
|
|
infra@digipix.com.br
Posts: 2
Joined: 5.Feb.2009
Status: offline
|
Sorry, the correct ports are KiLo (6667) and KiLo (6666) and all information I gathered said these are UDP ports.
|
|
|
|
|
RE: Kilo detected - 11.Mar.2009 9:49:27 AM
|
|
|
aspinc
Posts: 2
Joined: 15.Jan.2009
Status: offline
|
Sorry I haven't been able to get back to this.
I am setting up a brand new PC today. I scanned it prior to giving it to the user and it also show the backdoor kilo. When I run the netstat -a -b there is no reference to port 6666 or 6667. I assume that the reported item is incorrect, but I am unclear on why it shows up on some computers but not others.
|
|
|
|
|
RE: Kilo detected - 10.Jul.2009 3:29:52 PM
|
|
|
mpare
Posts: 15
Joined: 20.Apr.2005
From: Baltimore
Status: offline
|
bump
Hmm, I'm having this problem as well and it is rather annoying. I too had this appear since I updated, and I too am not able to actually find anything listening or operating on these UDP ports. GFI Languard incorrectly identifies this vulnerability on ALL my servers (including two VMware ESX hosts) EXCEPT my domain controllers. Go figure.
Has anyone done a packet capture of the scan traffic? I bet the detection algorithm is messed up in GFI. It is very annoying to have to document this false positive each month. I've considered disabling this from my scans, but security auditors tend to frown upon that (just in case of the very minute possiblility that this vulnerability actually does turn up).
For the record, I'm running Version 9 Build 20090313, vulnerability update 18
|
|
|
|
|
RE: Kilo detected - 13.Jul.2009 8:29:24 AM
|
|
|
DrewE
Posts: 1246
Joined: 28.Apr.2008
From: Cary, NC
Status: offline
|
Can you disable all AntiVirus scans on both the GFI Languard machine AND the machines being scanned, then perform the scan again? Many AntiVirus clients can cause false positives from the GFI Languard port scans.
_____________________________
Drew Easley
GFI Software
Talk Tech To Me (GFI Blog) – Follow Us (Twitter) - Watch Us (YouTube) - Join us (Facebook)
|
|
|
|
|
RE: Kilo detected - 15.Jul.2009 9:44:57 AM
|
|
|
mpare
Posts: 15
Joined: 20.Apr.2005
From: Baltimore
Status: offline
|
Thanks for the tip. It turns out it was McAfee - specifically VirusScan Enterprise 8.7.0. Because it is controlled by policy, I could not disable the virus scanner, so I temporarily uninstalled McAfee and retried a scan. This time, 6666/6667 did not show up, despite the target server having McAfee installed. I'll be investigating the configuration to determine what is causing that false positive, hoping to reconfigure the policy to work around the false positive.
|
|
|
|
|
RE: Kilo detected - 16.Jul.2009 9:29:40 AM
|
|
|
mpare
Posts: 15
Joined: 20.Apr.2005
From: Baltimore
Status: offline
|
Just a follow up - if anyone else is having this issue:
I was able to create an exception by adding the "lnsscomm.exe" executable under Access Protection -> Anti-virus Standard Protection "Prevent IRC communication".
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
