Educause Security Discussion mailing list archives
Re: scanning on port 901
From: Brian Eckman <eckman () UMN EDU>
Date: Wed, 25 Feb 2004 20:46:13 -0600
----- Original Message ----- From: "Daniel Medina" <medina () COLUMBIA EDU> To: <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Wednesday, February 25, 2004 5:29 PM Subject: Re: [SECURITY] scanning on port 901
Here's a tidbit: two hosts are scanning for 901/tcp from our network. Both are connected via 6667/tcp (IRC) to wod28904RN.rh.ncsu.edu (152.7.50.249). Checking the traffic that host is seeing will likely turn up a lot of the sources for the scanning being seen; it's a C&C node for a botnet that hasn't been taken offline yet.
That is (also?) a Gaobot (a.k.a. Agobot) server. It's quite possible the hosts that you see doing this are performing the 901/tcp scan as a command from the IRC channel they are zombies on, and not necessarily part of any worm itself. You might want to join the channel and see what the topic is. Brian Eckman Network Security Analyst University of Minnesota ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- scanning on port 901 Craig Blaha (Feb 25)
- <Possible follow-ups>
- Re: scanning on port 901 Jeni Li (Feb 25)
- Re: scanning on port 901 Niedens, Travis (Feb 25)
- Re: scanning on port 901 Steve Worona (Feb 25)
- Re: scanning on port 901 Craig Blaha (Feb 25)
- Re: scanning on port 901 Niedens, Travis (Feb 25)
- Re: scanning on port 901 Daniel Medina (Feb 25)
- Re: scanning on port 901 Brian Eckman (Feb 25)