Educause Security Discussion mailing list archives

Re: scanning on port 901

From: Brian Eckman <eckman () UMN EDU>
Date: Wed, 25 Feb 2004 20:46:13 -0600

----- Original Message -----
From: "Daniel Medina" <medina () COLUMBIA EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Wednesday, February 25, 2004 5:29 PM
Subject: Re: [SECURITY] scanning on port 901

Here's a tidbit: two hosts are scanning for 901/tcp from our network.
Both are connected via 6667/tcp (IRC) to wod28904RN.rh.ncsu.edu
(152.7.50.249).  Checking the traffic that host is seeing will likely
turn up a lot of the sources for the scanning being seen; it's a C&C
node for a botnet that hasn't been taken offline yet.


That is (also?) a Gaobot (a.k.a. Agobot) server. It's quite possible the
hosts that you see doing this are performing the 901/tcp scan as a command
from the IRC channel they are zombies on, and not necessarily part of any
worm itself. You might want to join the channel and see what the topic is.

Brian Eckman
Network Security Analyst
University of Minnesota

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

scanning on port 901 Craig Blaha (Feb 25)
- <Possible follow-ups>
- Re: scanning on port 901 Jeni Li (Feb 25)
- Re: scanning on port 901 Niedens, Travis (Feb 25)
- Re: scanning on port 901 Steve Worona (Feb 25)
- Re: scanning on port 901 Craig Blaha (Feb 25)
- Re: scanning on port 901 Niedens, Travis (Feb 25)
- Re: scanning on port 901 Daniel Medina (Feb 25)
- Re: scanning on port 901 Brian Eckman (Feb 25)