Educause Security Discussion mailing list archives

Re: Any ideas?

From: Matthew Keller <kellermg () POTSDAM EDU>
Date: Mon, 19 Jan 2004 16:46:14 -0500

Bagle listens on port 6777 not 6667. This is likely to be an IRCbot
virus, probably Agobot (http://www.f-secure.com/v-descs/agobot.shtml) or
something like it.


On Mon, 2004-01-19 at 16:38, Christopher Condie wrote:

I think you may be experiencing the W32.Beagle worm.  If you go to
http://www.symantec.com you can get information on how to get rid of the
worm.  It should destroy itself also as of the 28th of January according to
Symantec.

Just a thought,

Christopher R. Condie
Oakland University
Security and Helpdesk Manager
condie () oakland edu
----- Original Message -----
From: "Piscitello, Frank" <frank () WCUPA EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Monday, January 19, 2004 4:27 PM
Subject: [SECURITY] Any ideas?


I have what I'm assuming is a worm/scanner that is attempting to connect
to 68.202.199.235 on port 6667. The mystery is that the source IP seems
to be every address on my one student subnet. The IP packet is 60bytes
and the Frame is 74 bytes. There is no actual data.

Any ideas?
-Frank


------------------------------------------------------------------
Frank J. Piscitello, Jr.
Information Security Manager
Office of Information Security
West Chester University of PA
West Chester, PA 19383
Phone: 610-436-3192
Fax: 610-436-3110
http://www.wcupa.edu/infoservices/security/

Security is everyone's responsibility.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

--
Matthew Keller
Enterprise Systems Analyst
Computing & Technology Services
State University of New York @ Potsdam
Potsdam, NY USA
http://mattwork.potsdam.edu/

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Any ideas? Piscitello, Frank (Jan 19)
- <Possible follow-ups>
- Re: Any ideas? Cam Beasley, ISO (Jan 19)
- Re: Any ideas? Christopher Condie (Jan 19)
- Re: Any ideas? Piscitello, Frank (Jan 19)
- Re: Any ideas? Matthew Keller (Jan 19)
- Re: Any ideas? Clyde Hoadley (Jan 19)
- Re: Any ideas? Piscitello, Frank (Jan 19)
- Re: Any ideas? Cam Beasley, ISO (Jan 19)
- Re: Any ideas? Paul Dokas (Jan 19)
- Re: Any ideas? Paul Dokas (Jan 19)